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Preface 

There is a growing awareness that most specihcation and verihcation methods 
have reached their limits. Model-checking (in spite of the striking progress due 
to symbolic methods) can check hnite-state systems up to a certain size, and 
deductive methods, due to the heavy user interaction required, can handle only 
systems of small complexity. If there is hope that industrial-size designs can be 
handled by formal methods, it must be based on the two premises of compost- 
tionaUty and abstraction. 

Under compositionality, we include any method by which the properties of 
a system can be inferred from properties of its constituents, without additional 
information about the internal structure of these constituents. The two main 
questions that have to be addressed in forming a viable compositional theory 
are: 

— How to decompose a global specihcation into local specihcations which will 
be satished by the individual components? 

— Having shown that the local specihcations are satished by their respective 
components, how to infer the global specihcation from this? 

One of the recently suggested methods for combining algorithmic (model-check- 
ing) with deductive (proof-theoretic) verihcation methods is by the use of com- 
positional methods, in which the local specihcations are verihed by algorithmic 
methods and the specihcation decomposition and re-composition are done using 
deductive technology. 

This particular suggestion, as well as many others, was considered at the 
Symposium “Compositionality: The Signihcant Difference” (COMPOS’97), or- 
ganized at Hotel Intermar, Bad Malente, Germany, September 8-12, 1997. The 
idea for organizing this symposium was suggested by Ben Moszkowski. 

The present volume constitutes the proceedings of this symposium. It rehects 
the current state-of-the-art in compositional reasoning about concurrency. Apart 
from the contributions written by the speakers, this volume also contains a 
contribution by Mads Dam. In order to put all those contributions into proper 
perspective, one of the organizers, W.-P. de Roever, has written a survey for 
these proceedings describing the main issues in compositional reasoning and the 
history of their evaluation, as rehected in the current literature. 

We gratefully acknowledge the hnancial support for this symposium by a 
grant from the Deutsche Forschungsgemeinschaft DFG (grant no. 4851/225/97), 
by a donation from one of the organizers, H. Langmaack, and by the Dutch 
“Stichting AFM” headed by J. Vytopil. 

The local organization was in the able hands of Anne Strafiner. We express 
our genuine gratitude to her for her efforts. 

Last but not least, we would like to thank the speakers for their active and 
responsive participation, for giving such excellent talks, and for putting so much 
effort in writing their contributions. This made this symposium a memorable 
event not only for its participants but also for its organizers. 

September 1998 W.-P. de Roever, H. Langmaack, A. Punch 
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Abstract. A survey is given of the main issues in compositional reason- 
ing about state-based parallelism and of the history of their evolution, 
as reflected in the current literature. Compositional proof techniques are 
presented as the proof-theoretical analogue of Dijkstra’s hierarchically- 
structured program development. Machine-support for compositional 
reasoning, and the relationship between compositionality and modular- 
ity are discussed. The issues when compositional reasoning about con- 
currency is successful, and when it isn’t, are commented upon. Pointers 
to the other papers in this volume are provided. 



1 Introduction 

1.1 What this paper is about 

The paper in front of you presents a survey of the main issues and trends in 
state-based compositional reasoning about concurrency, and the history of their 
evolution, as reflected in the current literature. It includes a list of references to 
this subject, as well as pointers to the other papers in this volume. It is written as 
introduction for the proceedings of the International Symposium COMPOS ’97. 

These proceedings reflect the current state of the art in state-based compo- 
sitional reasoning about concurrency. 

1.2 Structure of this paper 

Section 1.3 gives a brief account of the development of state-based program ver- 
ification and compositional reasoning, up to the point where the contributions 
in this volume take over. Namely, the fundamental results by Misra & Chandy 
[MC81] and Jones [JonSl, Jon83], presenting the first compositional proof rules 
for, respectively, synchronous message passing and shared variable concurrency. 
Section 2 discusses the verify- while-develop paradigm, and section 3 its relation- 
ship with compositional reasoning, leading to the conclusion that compositional 
proof techniques can be viewed as the proof-theoretical analogue of Dijkstra’s 
hierarchically-structured program development. The assumption-commitment 
and rely-guarantee paradigms are the subject of section 4, and machine-support 
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for compositional verification that of section 5. Section 6 discusses the relation- 
ship between compositionality and modularity, section 7 represents an attempt 
at demystifying of the complexity of compositional reasoning, and section 8 
comments briefly upon the issue when compositional reasoning is successful. A 
conclusion and a list of references to the subject complete the paper. 

1.3 Stages in the history of program verification 

Within the context of predicate logic, the principle of compositionality was al- 
ready formulated in 1923 by G. Frege [Fre23]. The first ones to relate Frege’s 
notion of compositionality to logics for program proving were P. van Emde Boas 
and T.M.V. Janssen in [JvEBSO]. This principle and its application to specifying 
compiler correctness are the themes of Janssen’s contribution to this volume. 

Interestingly, when one follows the development of program proving methods 
(which started in 1949 with a publication by A. Turing [Tur49]), the main direc- 
tion is from a-posteriori nonstructured program proving methods to structured 
compositional methods [dR85, HdR86]. 

Eor sequential programs this development is easy to trace. Eirst R.W. Eloyd’s 
noncompositional method appeared in 1967 [Elo67] (a year earlier, P. Naur de- 
veloped in [Nau66] related ideas). His method, called the inductive assertion 
method, is based on labelled transition diagrams - directed graphs whose edges 
are labelled with guarded multiple assignments - whose nodes are associated 
with boolean state functions. The resulting assertion network is called induc- 
tive, whenever for every pair of nodes {I, I') in a diagram, which is connected 
by a directed edge, the corresponding pair (Q/, Q/-) of associated boolean state 
functions satisfies the so-called verification condition associated with that edge. 
This verification condition expresses that whenever Qi is satisfied in some state, 
and the transition associated with that edge is taken, the resulting state sat- 
isfies Qi>. This method is noncompositional because there is “no room”, so to 
speak, for program development between a specification and the atomic parts 
of a transition diagram. As we will see, this situation changes when transition 
diagrams are provided with an algebraic structure, s.t. they, as well as their asso- 
ciated inductive assertion networks, can be decomposed into their components. 
To use an analogy: in Eloyd’s original approach a house is considered to consist 
of bricks, beams, tubes, electric wires, glass etc., rather than of a roof, walls, 
floors, plumbing, power supply and the like. Clearly, when developing programs 
from their specification one needs, mutatis mutandis, the latter higher level of 
abstraction. 

Eloyd’s method was cast in an axiomatic compositional style by C.A.R. Hoare 
for sequential programs in 1969 [Hoa69]. Hoare observed that programs had a 
syntactic structure, and that this structure could also be given to their correct- 
ness proofs for purposes of program development. 

His paper is the first one that defines a programming language in terms 
of how its programs can be proved correct with respect to their specifications 
rather than in terms of how they are executed. That is, it reduces proving every 
specification for some composed program construct - in this case obtained by 
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application of the sequential composition, if-then-else and while operators - to 
proving specifications for its constituent operands, without the need for any 
further information whatsoever. And this is what compositionality is all about. 
Also in 1969, Edsger W. Dijkstra wrote the following paragraph in [Dij69a]: 

“On Understanding Programs. 

On a number of occasions I have stated the requirement that if we 
ever want to be able to compose really large programs reliably, we need 
a discipline such that the intellectual effort E (measured in some loose 
sense) needed to understand a program does not grow more rapidly than 
proportional to the program length L (measured in an equally loose sense) 
and that if the best we can attain is a growth of E proportional to, say, 

Lf , we had better admit defeat. As an aside I used to express my fear 
that many programs were written in such a fashion that the functional 
dependence was more like an exponential growth!” 

Since the complexity of compositional reasoning grows linearly w.r.t. the pro- 
gram size (as will be discussed later) , this paragraph is the first reference within 
the computer science literature to the desirability of compositional reasoning. 
The above quotation is very general. A related argument, but then focusing on 
concurrency, appears in [Dij72, especially on page 75]. 

It is not our intention here to give a full account of the rich development of 
verification methods for sequential program constructs. 

For concurrent and distributed programs proof methods turned out to be 
difficult to develop due to the problem of how to formalize the, in general, close 
interaction between the separate processes while they are executing. For certain 
types of programs, such as operating systems, this close interaction is even their 
one and only purpose. 

For shared variable concurrency, the first Hoare-like proof system was due to 
Owicki & Gries in 1976 [OG76]. Technically this feat was performed by ramifying 
the notion of specification by Hoare triples by means of the introduction of 
proof outlines. Proof outlines are systematically annotated program texts in 
which at every control location a predicate is inserted, which characterizes the 
program state at that point. By requiring that these predicates remain invariant 
under the execution of assignments in other processes - as expressed by the 
so-called interference freedom test - the influence of concurrent operations on 
shared variables is mathematically captured. Because proof outlines annotate the 
program text, they use additional information about the underlying execution 
mechanism, and therefore any logic based on them is noncompositional. 

For distributed synchronous communication such proof systems were inde- 
pendently discovered by two teams: Apt, Francez & de Roever [AFdRSO] and 
Levin & Gries [LG81]. Here, synchronous communication was captured proof- 
theoretically by the so-called cooperation test. This test also operates on proof 
outlines for the various processes which constitute a program. It requires essen- 
tially that for communicating pairs of input-output actions - the actual fact of 
communication is characterized by a global invariant, basically over the commu- 
nication histories of the various processes - the conjunction of the two predicates 
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associated by the respective proof outlines with the control locations immedi- 
ately before these input and output actions implies after communication (which 
is mathematically expressed as a distributed assignment) the two predicates as- 
sociated with the locations immediately after these two actions. Since only the 
input action can change the state of program variables, in practice this test in- 
volves checking that the input values have been appropriately specified in the 
postcondition of an input action w.r.t. the particular environment in question. 
Also this method is noncompositional. 

A third development was that of temporal logic by A. Pnueli in 1977, in- 
troduced originally as a logic for formal reasoning about the various so-called 
fairness requirements needed to implement various kinds of semaphores in mu- 
tual exclusion algorithms [Pnu77]. Also temporal logic is noncompositional. 

After the development of these first-generation proof principles for almost 
every programming construct in existence, the stage was set for the next leap 
forward: The formulation of compositional proof methods for concurrency, thus 
enabling, as we shall see, the extension of Dijkstra’s paradigm of hierarchically- 
-structured program development to the systematic derivation of concurrent pro- 
grams. 

All the proof methods and systems for concurrency which are discussed above 
apply to closed systems only, i.e., systems without any communication with pro- 
cesses outside of them. These derive their interest from the fact that one typically 
models the environment as a separate component, and then considers the system 
composed with its environment, which constitutes a closed system. However, that 
presupposes a fixed environment. And, for purposes of reusability one does not 
want to have this. That leads to consideration of open (i.e., nonclosed) systems, 
their specification, and their correctness. 

But how can one specify an open system which is intended to interact via, 
e.g., certain prespecified shared variables? Certainly without knowing its ulti- 
mate environment such a system cannot be verified using the method of Owicki 
& Cries, or any other theory mentioned above, because one doesn’t know on 
beforehand which interference to expect. 

A solution to that problem was given for shared- variable concurrency by Cliff 
Jones in [JonSl, Jon83] and, for distributed communication by Jay Misra and 
Mani Chandy in [MC81]. 

Jones proposed in his so-called rely- guarantee formalism to specify the inter- 
ference allowed by the environment of a component during its execution without 
endangering fulfillment of the purpose of that component. The proposal of Misra 
& Chandy is similar, be it that it applies to synchronous communication, and is 
called the assumption- commitment (A/C) formalism. 

Both formalisms are compositional, because the purpose of a compositional 
verification approach is to shift the burden of verification from the global level to 
the local, component, level, so that global properties are established by compos- 
ing together independently (specified and) verified component properties. And 
this is exactly what’s needed to specify open systems, for which one doesn’t 
know which environment will be provided. 
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At this point these proceedings take over. More details about the A/C para- 
digm can be found in section 4. 
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2 The verify-while-develop paradigm 

Most of the literature on program correctness deals with a-posteriori program 
verification, i.e., the situation that after the program has been obtained it is 
proved correct, see, for instance [Man74, And91, A091, Dah92, Fra92, Sch97]. 
Although a-posteriori verification has been indispensable for the development of 
a truly mathematical theory of program correctness, it is a frustrating approach 
in practice, because almost all programs contain errors. Discovering that error 
then leads to the need for correcting the program. And the so corrected program 
contains most of the time errors again. Nevertheless one hopes that this is no 
nonterminating cycle. Hence the attempt at a correctness proof mostly leads to 
the discovery of errors, i.e., a counterexample violating the original specification, 
rather than a successful proof. 

This situation becomes even more grave when considering concurrent pro- 
grams and systems. For then the number of cases to be verified when checking 
the correctness of the interaction between their individual processes grows in 
general exponential w.r.t. the number of those processes. Consequently, check- 
ing them all becomes well-neigh impossible, except, maybe, when this process 
of checking has been mechanized. But even then the limits of naive machine 
verification are quickly reached. 

It would make sense, if, rather than disproving finished programs over and 
over again in the course of attempting to prove them correct, one could be 
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convinced of the correctness of a design decision at the very moment one took 
that deeision during the process of top-down development of a program from its 
specifications - a paradigm called “verify-while- develop ” . This paradigm requires 
one to verify that a program-in-the-making meets its specification by making 
use of specifications for its constituent parts or modules while the implementing 
program text of those parts is not yet available. This has the advantage that, since 
every top-down development step now requires a correctness proof based on the 
specifications of those parts (rather than their programming text), any errors 
made during development of those parts according to these specifications do not 
influenee the eorreetness of this partieular development step. Consequently, no 
redundant verification work is done when following this paradigm, in contrast 
to the situation with a-posteriori program verification. 

Of course, the verify-while-develop strategy is not new. It is merely a reformu- 
lation of the notion of hierarehieally-struetured program development, advocated 
by Dijkstra and others since the end of the sixties [Dij68, Dij76, Dij82]. 

3 Compositionality 

The technical property which is required of program correctness methods for 
supporting the verify-while-develop paradigm is called “eompositionality”: 

“That a program meets its specification should be verified on the basis 
of specifications of its constituent components only, without additional 
knowledge of the interior construction of those components.” 

To make this verification strategy possible, programs and their parts are 
specified using predicates only. Such specifications are called assertional. Now the 
verification that a program satisfies its assertional specification should be entirely 
earried out at the level of reasoning about these predieates, i.e., no additional 
knowledge about the underlying exeeution meehanism of its parts is allowed. 

To be precise, compositional verification that a program P satisfies an as- 
sertional specification (p amounts to application of the following reeursive proof 
strategy: 

1. In case P cannot be further decomposed, compositional verification that P 
satisfies p is done directly, i.e., either by application of an axiom, or by a 
proof based on the semantics of P and p. Hence this amounts to a traditional 
verification proof. 

2. In case P is composed of parts P\, . . . ,Pn, e.g., P is a network Pi || . . . \\Pn 
with “II” expressing some form of parallel composition, compositional verifi- 
cation that P satisfies p amounts to executing the following steps: 

(a) Find assertional specifications p>\,. . . ,p>n for Pi , . . . , P„ such that steps 
(b) and (c) below can be proved. 

(b) Prove that P satisfies p whenever P is eomposed of parts Pi satisfying 
ipi, i = 1, . . . , n. This proof consists of checking the validity of an impli- 
cation involving the specifications p>\,. . . ,p>n and p>, only, and is called 
a eompositional proof step. 
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(c) Recursive application of this proof strategy to compositional verification 
that Pi satisfies ipi, i = 1, . . . ,n. 

Since the syntax tree of P is finite, this process of proof decomposition termi- 
nates, because it is syntax directed. For the incorporation of recursive proce- 
dures into this proof strategy, we refer to the contributions of Dam, Fredlund 
and Gurov, and of Finkbeiner, Manna and Sipma, to this volume. 

How exactly are such compositional frameworks obtained? First of all, for 
every composition operator op^ in the programming language (e.g., sequential 
composition and parallel composition “||”) there should exist an operator 
op^ in the specification language s.t.: 

Whenever programming eonstruets Pi satisfy speeifieations (pi, for i = 

1, . . . ,n, one also has for every n-ary operator op^ that op^{Pi , . . . , Pn) 
satisfies op^{(pi, . . . ,<Pn)- 

Secondly, it is required that: 

Whenever op^{Pi , . . . , P„) satisfies speeifieation p>, there exist speeifiea- 
tions Pi for Pi s.t. Pi \= Pi, i = 1, . . . ,n, and |= op^{pi, . . . ,Pn) V’ 
holds, i.e., op^{pi , . . . , pn) p is valid in the interpretation eoneerned. 

These two properties imply that steps (a), (b) and (c) above can be carried 
out. 

Compositional reasoning owes its attractiveness to its application to parallel 
composition, since it replaces operational reasoning with a complexity inereasing 
exponentially in the number of parallel components by reasoning compositionally 
on the basis of given specifications, and the complexity of this way of reasoning 
increases linearly w.r.t. the number of those specifications. This is discussed later 
in section 7. 

Compositional proof techniques have the advantage that they allow a sys- 
tematic top-down development of programs from their specification, which is 
correct by construction, as illustrated in contributions of Broy, of Hooman and 
of Olderog and Dierks to this volume. And this process of program derivation is 
exactly the verify-while- develop paradigm! For, as a consequence of using compo- 
sitional techniques, each compositional proof (reduction) step (as defined above) 
can be viewed as the verifieation of a design step, which only involves reason- 
ing about (the assertional specification of) that particular step and does not 
involve any future design steps. This explains why in the definition of composi- 
tional proof techniques above we stipulate that no additional knowledge about 
the underlying execution mechanism of the constituent components (of the to- 
be-verified program) is allowed. For, without that clause, reasoning about a 
particular design step might involve reasoning about future design steps, and we 
want these two stages to be independent. 

This explains why compositional techniques can be viewed as the proof- 
theoretical analogue of Dijkstra’s hierarchically structured program develop- 
ment. 
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This point of view is further worked out in Broy’s contribution to this volume; 
Broy proves the compositionality of his mathematical model w.r.t. three forms of 
refinement relations. In the contributions of Hooman and of Olderog and Dierks, 
this viewport is extended to real-time systems; specifically, the latter prove that 
real-time systems specified in a certain subset of the Duration Calculus can 
be decomposed into an untimed system with suitable timers, and the former 
illustrates how to specify real-time systems in a platform-independent way. 

Finally, observe that nowhere in the account above assertional specifications 
are required to be syntactically expressed in some logic language. They can also 
be boolean-valued state functions. In fact, the above characterization of composi- 
tionality can be extended as well to transition diagrams with parallel composition 
and, in case of nested concurrency, sequential composition as additional oper- 
ations used for expressing the structure of those diagrams. Now compositional 
verification can be formulated equally well in a semantic framework based on 
transition diagrams and inductive assertion networks, by extending the notion 
of verification condition in such a way that independence of any influence by 
the environment is obtained (e.g., in case of input transitions, these conditions 
should hold regardless of the particular input value). This is worked out in the 
contribution of de Boer and me to this volume, and clarifies, in my opinion, one 
of the points raised in Lamport’s contribution. In fact, this semantic approach 
to compositionality is in our opinion very close to the one which is used by 
Hooman, Shankar and others, in order to define within PVS a semantic basis for 
machine-supported compositional reasoning. 



4 Specification and verification of open systems: the 
assumption-commitment paradigm 

In the context of a-posteriori program verification one tends to focus on proof 
methods and systems for concurrency which apply to closed systems only, i.e., 
systems without any communication with processes outside of them. Obviously, 
as remarked above, for the purpose of reusability the specification, development 
and verification of open systems is far more important. 

But how can one specify an open system which is intended to interact via, 
e.g., certain prespecified shared variables without knowing that interaction on 
beforehand? Observe that the answer to this question is consistent with the very 
purpose of compositional reasoning, since, because the environment of an open 
system is not known, it can only be specified without giving any implementation 
details about that environment, and this is exactly what compositional reasoning 
is about. 

A solution to that problem was suggested by Cliff Jones in [JonSl, Jon83] for 
shared variable concurrency, and, for synchronous communication by Jay Misra 
and Mani Chandy in [MC81]. 

Jones proposed in his so-called rely- guarantee formalism to specify the inter- 
ference allowed by the environment of a component during its execution without 
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endangering fulfillment of the purpose of that eomponent. Here the rely condi- 
tion expresses the interference allowed, and the guarantee condition the task to 
be performed, by that component. The proposal of Misra & Chandy applies to 
synchronous communication, is called the assumption- eommitment (A/C) for- 
malism, and embodies a similar kind of specification strategy. Although the 
rely-guarantee and assumption-commitment paradigms were originally devel- 
oped independently, it was later realized that the induction principles reflected 
by their associated parallel composition rules are similar [XCC94]. We shall 
adhere, therefore, to the name assumption-commitment for both formalisms, 
because the A/C paradigm was published earlier. 

Both formalisms are compositional, because the purpose of a compositional 
verification approach is to shift the burden of verification from the global level 
to the local, component, level, so that global properties are established by com- 
posing together independently (specified and) verified component properties. 

Of all the approaches to the compositional verification of concurrency, this 
assumption- eommitment pai&digm is the one studied best [MC81, Jon83, Oss83, 
Sou84, Pnu84, ZdBdR84, BK85, Sta85, ZdRvEB85, GdR86, Lar87, Sti88, Zwi89, 
Jos90, Hoo91, PJ91, XH91, AL93, AP93, Col93, Jos93, KR93, Col94, CMP94, 
DH94, XCC94, AL95, DJS95, XdRH97]. Manna and Pnueli incorporate similar 
ideas in section 4.3 of [MP95] for proving invariance properties in a setting of 
temporal logic; additional references to compositional approaches in that setting 
are [MCS82, NDOG86, CMP94, Jon94]. 

The formulation of the A/C paradigm for invariance properties is simpler 
than for (the combination of invariance and) liveness properties expressed in 
temporal logic. The reader is referred to the contributions of Shankar and of 
Xu and Swarup to this volume for an explanation why this is the case and how 
this problem is resolved. Suffice to say here that, in case of combinations of 
invariance and liveness properties, by a result of [AS85, Sch87] these properties 
can be written as the conjunction of a maximal invariance and minimal liveness 
property, to which separate forms of A/C reasoning are applied [AL91]. This is 
worked out in, e.g., [MCS82, AL93, AP93, Col94, CMP94, AL95]. 

The contribution of Xu and Swarup extends this paradigm to real-time. The 
contribution of Kupfermann and Vardi to this volume investigates the complexity 
of the A/C paradigm in the context of model-checking, for different combina- 
tions of linear time and branching time logics used for expressing the separate 
specifications of assumption and commitment. 

The specification and proof of open distributed systems using a new alternat- 
ing-time temporal logic is proposed in the contribution of Alur, Henzinger and 
Kupfermann to this volume. The same topic is addressed in the contribution 
of Dam, Fredlund and Gurov, using a temporal logic based on a first-order 
extension of the modal /i-calculus for the specification of component behavior. 
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5 Compositionality and machine-supported verification 

The promise of the previously discussed joint verify- while-develop paradigm/ 
compositional proof-generation strategy is based on its potential for application 
in the large, as witnessed by the growing list of academic and industrial claims in 
this respect [Lar87, LT87, CLM89, Jos90, KR90, LT91, HRdR92, LS92, Bro93, 
Jos93, KL93, CMP94, DH94, GL94, Jon94, Mos94, DJS95, Hoo95, Cau96, KV96, 
SY96, BL098a, BL098b, DJHP98, Sha98]. This is mainly due to the effort made 
in recent years towards machine-support of this form of reasoning. This effort is 
caused by the following factors. 

As we have seen, compositional methods enable reasoning about complex sys- 
tems because they reduce properties of complex systems to properties of their 
components which can be checked independently of their environment. Now the 
same applies to reasoning about complex finite state systems. E.g., verification 
approaches based on the fully automatic technique of model eheeking fail to scale 
up gracefully because the global state space that has to be explored can grow 
exponentially in the number of components [GL94]. Also here compositional 
verification offers a solution by restricting the model checking procedure to ver- 
ifying local, component level properties, and using combinations of interactive 
and machine-based theorem proving for verifying that the machine-verified lo- 
cal properties imply the desired global property fCLM89, Jos90, Jos93, Kle93, 
GL94, DJS95, KV96, Sha98]. 

This is discussed in the contributions of Alur, Henzinger and Kupfermann, 
of Damm, Josko, Hungar and Pnueli, and of Berezin, Campos and Clarke to this 
volume. 

Secondly, complex systems, and especially safety critical ones, are in great 
need of formal verification. Also, the formal verification of crucial components 
of such systems has acquired higher industrial priority ever since INTEL lost an 
estimated 500 million US Dollars due to a bug in its Pentium chip. Now composi- 
tional proof methods are reported to allow such verification tasks in practice for 
medium-size examples. Also in case of the verification of infinite state systems, 
it makes therefore sense to complement the above mentioned combination of 
automatic and theorem-proving-based verification techniques by compositional 
reasoning supported by semi-automated proof checking methods such as, e.g., 
PVS [ORSvH95], as reported in [Hoo95, HvR97, Sha98], and other methods, for 
which we refer to the contributions of Hooman, and of Shankar to this volume. 
As already stated, Hooman and Shankar encode a semantieal characterization 
of compositional verification in PVS, which is similar to the one discussed in the 
contribution by de Boer and me. 



6 Compositionality, completeness and modularity 

In specification, the compositionality principle implies a separation of eoneerns 
between the use of (and reasoning about) a module, and its implementation. As 
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Lamport says [Lam83], it provides a contract between programmer and imple- 
mentor: 

— One can program a task by the use of modules of which one only knows the 
specification without any knowledge about their implementation, and 

— one can implement a module solely on the basis of satisfying its specification 
without any knowledge of its use. 

Thus one separates programming with modules on the basis of their specifications 
from implementing a module such that its specification is satisfied. 

To succeed in this contract between programmer and implementor, all aspects 
of program execution which are required to define the meaning of a construct 
must be explicitly addressed in semantics and assertion language alike. Hence 
all assumptions which are needed regarding the environments in which a module 
will function - because these influence the behavior of that module - must be 
made explicit as parameters (in both the semantics and the specification of 
that module), for only then one may abstract from the remaining aspects. This 
is especially required when specifying fixed components, which can be taken 
ready-made from the shelf, so to say. 

In order to understand the relationship between the compositionality prin- 
ciple and Lamport’s view of a specification as a contract between programmer 
and implementor, in [Zwi89, ZHLdR95] the terminology regarding composition- 
ality is refined by distinguishing the compositionality property, which is needed 
when developing a program in top-down fashion from its specification, from the 
property called modularity (also called modular completeness in [Zwi89]), which 
is needed when constructing programs from re-usable parts with fixed proven 
specifications in bottom-up fashion. Similar distinctions are made in the work of 
Abadi and Lamport [AL93, AL95]. 

Thus, compositionality refers to the top-down approach, stating that for every 
specification of a compound construct there exist specifications for its parts such 
that those specifications imply the original specification without further infor- 
mation regarding the implementation of these parts. The principle of modularity 
refers to the bottom-up approach, and requires that, whenever a property of a 
compound statement follows semantically from the a priori given specifications 
of its fixed components, this should always be deducible in the proof system in 
question. As argued in [Zwi89] this amounts to requiring compositionality plus 
a complete, so-called, adaptation rule. 

The simplest know adaptation rule is the consequence rule, familiar from, 
e.g., Hoare and temporal logics. In general, given the fact that a certain given 
property (p has been proved of a given component C, adaptation rules state how 
to “plug” this proof into a proof context in which another property, say tl>, of 
that component C is needed. (The formulation of such rules, e.g., for assumption- 
commitment-based formalisms, is far from trivial [ZHLdR95], and still represents 
a veritable research effort.) Completeness of such a rule amounts to the property 
that, whenever some requested property ^ of C is semantically implied by the 
already established property p of C, then the adaptation rule can be applied, 
resulting in a proof that component C satisfies the required property tl>. 
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Consequently, also when programming solely on the basis of given, fixed, 
specifications, a compositional framework is required in order to convince oneself 
of the correctness of one’s programs in a formal set-up which has both the 
potential for application in the large and allows modules to be specified so as 
to provide a contract between programmer and implementor in Lamport’s sense 
above. 

The relationship between compositional proof systems, completeness and 
modularity is further discussed in a paper by Trakhtenbrot [Tra] . 

The paper by Finkbeiner, Manna and Sipma in this volume presents a for- 
malism for modular specification and deductive verification of parameterized fair 
transition systems, with an extension to recursion. 



7 The complexity of compositional reasoning 

Take an automaton with 10 states and consider the parallel composition of 80 
of such automata. This results in a product automaton of 10®° states - that is, 
more states than the number of electrons within our universe! 

Consider now the Internet. Certainly only 80 computers operating in parallel 
is chicken feed; many many more are operating in parallel! As we saw above, 
the complexity of the product automaton is exponential in the number states of 
the constituting automata. Consequently, a description of the Internet using an 
enumeration of in principle possible states is completely irrealistic. 

This example shows that an analysis using product automata may not be the 
appropriate one to analyze the parallel composition of programs (although it sets 
lower bounds for worst-case complexity). After all, also human beings operate 
in parallel, and do not perceive their human environment as being composed of 
a product automaton recording the changes inside that environment. 

Using compositional specification methods, the parallel composition of pro- 
cesses can be specified using the eonjunetion of the specification of the separate 
processes. Hence the complexity of this description is linear, rather than expo- 
nential, in the number of those specifications. 

Next, assume that inside these specifications disjunetions are used to list 
various possibilities, and the conditions subject to which these arise. Then, using 
de Morgan’s law about the distribution of disjunctions over conjunctions such 
a linear description may still, in the worst case, lead to the same exponential 
number of separate cases to be considered. So what did we gain? 

Return to the analogy with man, above. What other (wo)men observe are 
not the state changes inside their fellow human beings but rather changes in 
their (inter)faees or attitudes, from which a lot of local internal changes have 
been eliminated. 

Similarly, compositional specifications record changes in interfaces between 
programs (or processes), i.e., the change of externally (i.e. to other programs) 
visible quantities, and not the change in internal quantities, s.a. local variables, 
communication along local channels and the like. Also, as already observed. 




The Need for Compositional Proof Systems: A Survey 



13 



compositional specifications express the conditions under which such external 
changes occur. 

Now, de Morgan’s law still applies w.r.t. distributing disjunctions inside 
(compositional) specifications over conjunctions between specifications. How- 
ever, due to the fact that compositional specifications also express the conditions 
under which the externally visible changes occur, in case the interaction between 
processes is not too tight, only a manageable amount of such combinations of ex- 
ternally visible state changes (of the separate processes) needs to be considered, 
i.e., are consistent - one hopes at least so few that the number of consistent com- 
binations has a manageable complexity. And this belief is supported by current 
programming practice. 

The assumption behind this belief is that communicating computers, op- 
erating in parallel, are invented by man, and, since mankind cannot cope with 
exponential complexity, any man-made artifact which works, and consists of par- 
allel components, must somehow be possible to characterize using a very much 
lower than exponential complexity in the number of processes. 

Combining the observations made so far leads to the conclusion that, in gen- 
eral, compositional reasoning is successful for correctness-preserving top-down 
derivation of concurrent programs, where processes do not interact too tightly. 
However, there are also programs to which this assumption does not immediately 
apply, e.g., Chandy & Misra’s solution to the “Drinking-Philosophers Problem” 
[CM84] or the distributed computation of greatest common divisors, in which 
some form of global property must be maintained which doesn’t easily lend it- 
self to decomposition. Then compositional reasoning does not help, and does not 
lead to clearer proofs. The issue when compositional reasoning is successful, and 
when it isn’t, will be further discussed in the next section. 

Consequently, when considering program verification, it is certainly the case 
that compositional reasoning plays an important role, especially in case of top- 
down development (or reconstruction). But this does not detract from the need 
to develop other manageable verification techniques, which improve the com- 
plexity of the reasoning process in case of programs whose development requires 
application of other kinds of principles. Examples of such noncompositional ver- 
ification methods and development principles, s.a. the communication closed 
layers principle, can be found in the contribution of Zwiers to this volume. 

8 When is compositional reasoning successful? 

In which areas of verification is compositional reasoning successful? 

The main focus of this volume is on compositional techniques for reasoning 
about parallelism. Therefore we shall discuss how well various language con- 
cepts combine with parallelism, from the point of view of obtaining a successful 
compositional characterization. 

Before doing so, one should realize that the issue here is not which language 
features can be characterized compositionally and which cannot, because all 




14 



W.-P. de Roever 



language constructs can he characterized in a compositional way. This can be 
seen as follows. 

The meaning of every programming construct can be defined by giving its 
denotational semantics. In a denotational semantics the meaning of a composed 
construct is a (mathematical) function of the meaning of its components. (The 
distinction between denotational and compositional semantics is the use of fixed- 
point operations in the former.) But this implies that all the information required 
for reasoning about that composed construct is already obtainable from the 
meanings of its components. Therefore, the very point of compositional reasoning 
- that it can be carried out within a single uniform formalisms - is met. Thus, 
in principle, the language of mathematics can be used as assertion language for 
reasoning compositionally about every programming construct, on the basis of 
the denotational semantics of that construct. 

However, the measure of success of a compositional characterization is its 
simplicity. And this forces one to proceed in a more subtle manner, when looking 
for a really successful compositional characterization. 

The first issue in obtaining a compositional characterization of a language 
feature or construct is which observables must be additionally introduced in 
order to make its meaning a function of its parts. E.g., when reasoning com- 
positionally about real-time, not only the time at which actions occur must be 
recorded as an event in the semantics, but also the time required for waiting for 
synchronization. (Of course, this analysis is also required in the “denotational” 
approach sketched above.) Then one should make sure to use the coarsest com- 
positional semantics which is consistent with the observables chosen, and which 
still distinguishes observably different constructs. I.e., one tries to obtain a, so- 
called, fully abstract semantics. On the basis of this information, the simplest 
possible logic is designed for reasoning about this semantics, which distinguishes 
programming constructs if, and only if, those constructs have a different mean- 
ing in this semantics. In this logic every semantical function associated with a 
programming construct should be represented by a corresponding logical oper- 
ator, which has the logical characterization of the operands of that function as 
arguments. 

Details about this can be found in my forthcoming textbook [dRdBH+]. 

The simplest denotational semantics of a parallel operator is obtained by 
intersecting the semantics of its arguments. Consequently, the simplest logical 
characterization of that operator is conjunction. Such a characterization applies 
to synchronous communication, and to synchronous languages s.a., for instance, 
LUSTRE, ESTEREL, SIGNAL, and TLA (the former three synchronous lan- 
guages were originally designed for the description of real-time embedded sys- 
tems). No wonder that many papers in this volume - those by Benveniste, Le 
Guernic and Aubry, by Berezin, Campos and Clarke, by Lamport, by Maran- 
inchi and Remond, and by Poigne and Holenderski - are based on that para- 
digm, which is now getting successfully established in industry. Since hardware 
operates synchronously (as Gerard Berry has relentlessly been pointing out), 
also compositional reasoning about hardware is the natural thing to do, as ev- 
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idenced by the contribution of Berezin et al. Benveniste et al. describe models 
and techniques for distributed code generation for synchronous languages on not 
necessarily asynchronous architectures; Berezin et al. describe and illustrate sev- 
eral compositional model checking techniques used in practice; Maraninchi et al. 
study mixing ARGOS and LUSTRE inside the formalism of mode- automata, 
and discuss three criteria for compositionality which are used in selecting an 
appropriate semantics for the resulting mixed language; Poigne and Holenderski 
provide a generie framework for synchronous programming and its implemen- 
tation, called the SYNCHRONIE WORKBENCH. Einally, Lamport considers 
compositional reasoning to be necessary for open systems, and very useful in case 
of machine-supported verification. He continues by arguing that “when distract- 
ing language issues are removed and the underlying mathematics is revealed, 
compositionality is of little use,” advocating the use of ordinary mathematics 
for “semantic reasoning,” instead. This is close to the position, taken by de Boer 
and me, that the essence of compositionality is revealed when language issues 
are removed and the underlying mathematics is exposed. What then remains is, 
in Lamport’s case, temporal-logic-based reasoning about the next-state relation 
in the context of TLA, and, in our case, reasoning about transition diagrams in 
a suitable inductive assertion framework formulated inside mathematics. 

On the basis of the synchronous paradigm, simple compositional characteri- 
zations of real-time have been obtained, with an impressive number of applica- 
tions. Such characterizations are discussed in the contributions by Moszkowski, 
by Hooman, by Olderog and Dierks, by Bornot, Sifakis and Tripakis, by Xu and 
Swarup, and by Zhou and Hansen. The latter contribution extends compositional 
reasoning in the interval temporal logic ITL to continuous time, and, in principle, 
hybrid systems. The contribution by Bornot et al. argues that many different 
ways exist for composing time progress conditions in the context of timed au- 
tomata, and that these are all practically relevant. Moszkowski’s contribution 
also discusses compositional proof rules for liveness properties, and deals with 
comparing different granularities of time, all in the context of a simulator for 
the automatic analysis of specifications, called Tempura. 

Shared-variable concurrency requires a more complex semantics in order to 
obtain a compositional characterization, which corresponds to the much tighter 
possible interaction between shared- variable processes. That semantics, discov- 
ered by Peter Aczel in 1983, of which a fully abstract version was developed 
in [dBKPRQl] called reaetive-sequenee semantics, provides an underlying model 
for Jones’ rely-guarantee formalism. The corresponding logical operator for rea- 
soning about shared-variable concurrency additionally requires substitution and 
renaming. To my knowledge, few applications of the corresponding logics exist, 
although compositional correctness proofs for some mutual exclusion algorithms 
have been given [dBHdR97a, dBHdR97b]. 

A special position is taken by the compositional semantics of Statecharts, 
which is the subject of the contribution by Damm, Josko, Hungar and Pnueli. 
Since parallel composition in Statecharts is only synchronous at the level of its 
micro-step semantics, but not purely synchronous for its super-step semantics. 
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defining its compositional semantics requires quite an effort. This semantics acts 
as reference model for a verification tool currently under development allowing 
to verify temporal properties of embedded control systems modelled using the 
Statemate system; this tool combines symbolic model checking with assumption- 
commitment-based reasoning. 

Also object orientation is the subject of recent compositional characteriza- 
tions. Consult, e.g., the contributions by Mads Dam, Fredlund and Gurov, and 
by James and Singh. Since object-oriented constructs are characterized by their 
sophisticated information-hiding techniques, progress in this field can only be ex- 
pected once the localization of information within objects is adequately reflected 
by their associated logics [dB98]. 

Finally, compositional verification methods are extended to multi-agents in 
the contribution by Jonker and Treur, and to randomization in the contribution 
by Segala. 

9 Conclusion 

A survey has been given of the main issues and directions in state-based composi- 
tional reasoning about parallelism. Compositional proof techniques are presented 
as proof-theoretical analogue of Dijkstra’s hierarchically structured program de- 
velopment. Machine-support for compositional reasoning has been discussed, as 
well as the relationship between compositionality, modularity and completeness. 
Compositional reasoning is considered successful in case of: 

— correctness-preserving top-down derivation of concurrent programs, whose 

processes do not interact too tightly, 

— synchronous communication and real-time, and for synchronous languages. 

The history of the subject has been briefly discussed, and pointers to the papers 
in this volume have been given. 

Real progress in the (semi-) automated verification of programs can only be 
expected once specification formalisms are supported which are both composi- 
tional w.r.t. parallelism and w.r.t. abstraction/refinement. For these are the two 
main mental tools which man possesses for tackling complexity: reduction-to- 
smaller-problems and abstraction. 

Broy’s and Lamport’s contributions to this volume testify that they have re- 
alized this already for a long time. A temporal logic plus associated proof rules 
which enables compositional and stutter-invariant reasoning about both paral- 
lelism and refinement has been developed in [Cau96]. And in [BL098a, BL098b] 
the InVeSt tool is reported which supports the verification of invariance prop- 
erties of infinite-state systems; this tool computes abstractions of such systems 
compositionally and automatically, and then uses pre-fixed-points to find auxil- 
iary invariants using a combination of algorithmic and deductive techniques. 

There’s still lots of work to do! 



Schlofi Dagstuhl, September 10, 1998. 
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1 Introduction 

In 1977, Pnueli proposed to use Imear-time temporal logic (LTL) to specify re- 
quirements for reactive systems [Pnu77]. A formula of LTL is interpreted over a 
computation, which is an inhnite sequence of states. A reactive system satishes 
an LTL formula if all its computations do. Due to the implicit use of universal 
quantihcation over the set of computations, LTL cannot express existential, or 
possibility, properties. Branching-time temporal logics such as CTL and CTL*, 
on the other hand, do provide explicit quantihcation over the set of computa- 
tions [CE81, EH86]. Eor instance, for a state predicate Lp, the CTL formula VO <,£> 
requires that a state satisfying Lp is visited in all computations, and the CTL 
formula 30 ip requires that there exists a computation that visits a state satisfy- 
ing ip. The problem of model checking is to verify whether a hnite-state abstrac- 
tion of a reactive system satishes a temporal-logic specihcation [CE81, QS81]. 
Efhcient model checkers exist for both LTL (e.g., SPIN [Hol97]) and CTL (e.g., 
SMV [McM93]), and are increasingly being used as debugging aids for industrial 
designs. 

The logics LTL and CTL have their natural interpretation over the compu- 
tations of closed systems, where a closed system is a system whose behavior is 
completely determined by the state of the system. However, the compositional 
modeling and design of reactive systems requires each component to be viewed 
as an open system, where an open system is a system that interacts with its 
environment and whose behavior depends on the state of the system as well as 
the behavior of the environment. Models for open systems, such as CSP [Hoa85], 
I/O automata [Lyn96], and Reactive Modules [AH96], distinguish between inter- 
nal nondeterminism, choices made by the system, and external nondeterminism, 
choices made by the environment. Consequently, besides universal (do all com- 
putations satisfy a property?) and existential (does some computation satisfy a 
property?) questions, a third question arises naturally: can the system resolve its 
internal choices so that the satisfaction of a property is guaranteed no matter how 
the environment resolves the external choices? Such an alternating satisfaction 
can be viewed as a winning condition in a two-player game between the system 
and the environment. Alternation is a natural generalization of existential and 
universal branching, and has been studied extensively in theoretical computer 
science [CKS81]. 

Different researchers have argued for game-like interpretations of LTL and 
CTL specihcations for open systems. We list four such instances here. 

Receptiveness [Dil89, AL93, GSSL94]: Given a reactive system, specihed by a 
set of safe computations (typically, generated by a transition relation) and 
a set of live computations (typically, expressed by an LTL formula), the 
receptiveness problem is to determine whether every Rnite safe computation 
can be extended to an infinite live computation irrespective of the behavior of 
the environment. It is sensible, and necessary for compositionality, to require 
an afhrmative answer to the receptiveness problem. 
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Realizability (program synthesis) [ALW89, PR89a, PR89b]: Given an LTL 
formula ip over sets of input and output signals, the synthesis problem re- 
quires the construction of a reactive system that assigns to every possible 
input sequence an output sequence so that the resulting computation satis- 
Res Ip. 

Supervisory control [RW89]: Given a finite-state machine whose transitions 
are partitioned into controllable and uncontrollable, and a set of safe states, 
the control problem requires the construction of a controller that chooses 
the controllable transitions so that the machine always stays within the safe 
set (or satisfies some more general LTL formula). 

Module checking [KV96]: Given an open system and a GTL* formula the 
module-checking problem is to determine if, no matter how the environment 
restricts the external choices, the system satisfies ip. 

All the above approaches use the temporal-logic syntax that was developed for 
specifying closed systems, and reformulate its semantics for open systems. In 
this paper, we propose, instead, to enrich temporal logic so that alternating 
properties can be specified explicitly within the logic: we introduce alternating- 
time temporal logies for the specification and verification of open systems. Our 
formulation of open systems considers, instead of just a system and an environ- 
ment, the more general setting of a set S of agents that correspond to different 
components of the system and the environment. We model open systems by al- 
ternating transition systems. The transitions of an alternating transition system 
correspond to possible moves in a game between the agents. In each move of the 
game, every agent chooses a set of successor states. The game then proceeds to 
the (single) state in the intersection of the sets chosen by the agents. Special cases 
of the game are turn-based synehronous (in each state, only one agent restricts 
the set of successor states, and that agent is determined by the state), loek-step 
synehronous (the state is partitioned according to the agents, and in each step, 
every agent updates its component of the state), and turn-based asynehronous 
(in each state, only one agent restricts the set of successor states, and that agent 
is chosen by a fair scheduler). These subclasses of alternating transition systems 
capture various notions of synchronous and asynchronous interaction between 
open systems. 

For a set A C S of agents, a set A of computations, and a state q of the 
system, consider the following game between a protagonist and an antagonist. 
The game starts at the state q. At each step, to determine the next state, the 
protagonist chooses the choices controlled by the agents in the set A, while the 
antagonist chooses the remaining choices. If the resulting infinite computation 
belongs to the set A, then the protagonist wins. If the protagonist has a win- 
ning strategy, we say that the alternating-time formula {{A)) A is satisfied in the 
state q. Here, {{A)) is a path quantifier, parameterized with the set A of agents, 
which ranges over all computations that the agents in A can force the game 
into, irrespective of how the agents in A \ A proceed. Hence, the parameterized 
path quantifier ((A)) is a generalization of the path quantifiers of branching-time 
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temporal logics: the existential path quantiher 3 corresponds to {{S)), and the 
universal path quantiher V corresponds to ((0)). In particular, closed systems can 
be viewed as systems with a single agent sys, which represents the system. Then, 
the two possible parameterized path quantihers {{sys)) and ((0)) match exactly 
the path quantihers 3 and V required for specifying such systems. Depending on 
the syntax used to specify the set A of computations, we obtain two alternating- 
time temporal logics: in the logic ATL*, the set A is specihed by a formula of 
LTL; in the more restricted logic ATL, the set A is specihed by a single temporal 
operator applied to a state formula. Thus, ATL is the alternating generalization 
of CTL, and ATL* is the alternating generalization of CTL*. 

Alternating-time temporal logics can conveniently express properties of open 
systems as illustrated by the following hve examples: 

1. In a multi-process distributed system, we can require any subset of processes 
to attain a goal, irrespective of the behavior of the remaining processes. Con- 
sider, for example, the cache-coherence protocol for Gigamax verihed using 
SMV [McM93]. One of the desired properties is the absence of deadlocks, 
where a deadlocked state is one in which a processor, say a, is permanently 
blocked from accessing a memory cell. This requirement was specihed using 
the CTL formula 

Vn (30 rearf A 30 write). 

The ATL formula 

'id {{{a)) O read A {{a)) O write) 

captures the informal requirement more precisely. While the CTL formula 
only asserts that it is always possible for all processors to eooperate so that a 
can eventually read and write (“collaborative possibility”), the ATL formula 
is stronger: it guarantees a memory access for processor a, no matter what 
the other proeessors in the system do (“adversarial possibility”). 

2. While the CTL formula Vn ip asserts that the state predicate ip is an invari- 

ant of a system component irrespective of the behavior of all other compo- 
nents (“adversarial invariance”), the ATL formula (which stands for 

((A\{a})) dip) states the weaker requirement that is a possible invariant of 
the component a; that is, a cannot violate dtp on its own, and therefore the 
other system components may cooperate to achieve dtp (“collaborative in- 
variance”). For ip to be an invariant of a complex system, it is necessary (but 
not sufficient) to check that every component a satisRes the ATL formula 
[a]D^. 

3. The reeeptiveness of a system whose live computations are given by the LTL 
formula ip is specified by the ATL* formula Vn {{sys)) t/>. 

4. Checking the realizability (program synthesis) of an LTL formula t/> corre- 
sponds to model checking of the ATL* formula ((sj/s))t/> in a maximal model 
that considers all possible inputs and outputs. 
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5. The controUabtUty of a system whose safe states are given by the state pred- 
icate Lp is specihed by the ATL formula [[control)) □ p. Controller synthesis, 
then, corresponds to model checking of this formula. More generally, for an 
LTL formula t/>, the ATL* requirement [[control)) tl) asserts that the controller 
has a strategy to ensure the satisfaction of t/>. 

Notice that ATL is better suited for compositional reasoning than CTL. For 
instance, if a component a satisRes the CTL formula 30 cp, we cannot conclude 
that the compound system a\\h also satisfies 30 p. On the other hand, if a satisfies 
the ATL formula [[a))Op, then so does a\\h. 

The model-checking problem for alternating-time temporal logics requires the 
computation of winning strategies. In the case of synchronous ATL, all games 
are finite reachability games. Consequently, the model-checking complexity is 
linear in the size of the system and the length of the formula, just as in the case 
of CTL. While checking existential reachability corresponds to iterating the ex- 
istential next-time operator 30, and checking universal reachability corresponds 
to iterating the universal next VO, checking alternating reachability corresponds 
to iterating an appropriate mix of 30 and VO, as governed by a parameterized 
path quantifier. This suggests a simple symbolic model-checking procedure for 
synchronous ATL, and shows how existing symbolic model checkers for CTL can 
be modified to check ATL specifications, at no extra cost. In the asynchronous 
model, due to the presence of fairness constraints, ATL model checking requires 
the solution of infinite games, namely, generalized Biichi games [VW86b]. Con- 
sequently, the model-checking complexity is quadratic in the size of the sys- 
tem, and the symbolic algorithm involves a nested fixed-point computation. The 
model-checking problem for ATL* is much harder: we show it to be complete for 
2EXPTIME in both the synchronous and asynchronous cases. 

The remaining paper is organized as follows. Section 2 defines the model of al- 
ternating transition systems, and Section 3 defines the alternating-time temporal 
logics ATL and ATL*. Section 4 presents symbolic model-checking procedures, 
and Section 5 establishes complexity bounds on model checking for alternating- 
time temporal logics. In Section 6, we consider more general ways of introducing 
game quantifiers in temporal logics. Specifically, we define an alternating-time 
//-calculus and a game logic, and study their relationship to ATL and ATL*. 
Finally, Section 7 considers models in which agents have only partial informa- 
tion about (global) states. We show that for this case, of alternating transition 
systems with incomplete information, the model-checking problem is generally 
undecidable, and we describe a special case that is decidable in exponential time. 

2 Alternating Transition Systems 

We model open systems by alternating transition systems. While in ordinary 
transition systems, each transition corresponds to a possible step of the system, 
in alternating transition systems, each transition corresponds to a possible step 
in a game between the agents that constitute the system. 
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2.1 Definition of ATS 

An alternating transition system (ATS, for short) is a 5-tuple S = {II , S, Q, tt, 6) 
with the following components: 

— iT is a set of propositions. 

— 27 is a set of agents. 

— Q is a set of states. 

— IT : Q ^ 2^ maps each state to the set of propositions that are true in the 
state. 

— 6 : Q X S ^ 2"^ is a transition function that maps a state and an agent to 
a nonempty set of choices, where each choice is a set of possible next states. 
Whenever the system is in state g, each agent a chooses a set Qa G b{q,a). 
In this way, an agent a ensures that the next state of the system will be in its 
choice Qa- However, which state in Qa will be next depends on the choices 
made by the other agents, because the successor of q must lie in the intersec- 
tion naGi? Qa of choices made by all agents. The transition function is 
non-blocking and the agents together choose a unique next state state. Thus, 
we require that this intersection always contains a unique state: assuming 
27 = {fli, . . . , a„}, then for every state q ^ Q and every set Qi, . . . , Q„ of 
choices Qi G 6(q, Oi), the intersection Qi H . . . H Q„ is a singleton. 

The number of transitions of S is defined to be aes ®)l- states 

q and rq' and an agent a, we say that rq' is an a-sueeessor of q if there exists a set 
Q' G 6(q,a) such that rq' G Q' ■ We denote by suee(q,a) the set of a-successors 
of q. For two states q and rq' , we say that rq' is a sueeessor of rq if for all agents 
a G 27, we have rq' G suee{q,a). Thus, q' is a successor of rq iff whenever the 
system S is in state rq, the agents in 27 can cooperate so that rq' will be the next 
state. A eomputation of S is an infinite sequence A = qo, q\,q 2 , . . . of states such 
that for all positions i > 0, the state qi+i is a successor of the state qi. We refer 
to a computation starting at state rq as a rq- eomputation. For a computation A 
and a position i > 0, we use A[i], A[0,i], and A[i,oo] to denote the i-th state 
in A, the finite prefix qo,qi, . . . , qi of A, and the infinite suffix qi, qi+\, ... of A, 
respectively. 

Example 1. Consider a system with two processes a and h. The process a assigns 
values to the boolean variable x. When x = false, then a can leave the value 
of X unchanged or change it to true. When x = true, then a leaves the value 
of X unchanged. In a similar way, the process h assigns values to the boolean 
variable y. When y = false, then h can leave the value of y unchanged or change 
it to true. When y = true, then h leaves the value of y unchanged. We model the 
composition of the two processes by the following ATS S^y = {II, 27, Q, tt, 6): 

— n = {x,y}. 

— 27 = {a, b}. 

— Q = {rq, rqy, q^, rq^y}. The state rq corresponds to x = y = false, the state q^ 
corresponds to * = true and y = false, and similarly for rqy and rq^y. 
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— The labeling function tt : Q ^ 2^ is therefore as follows: 

• 7r(g) = 0 . 

• = {x}. 

• Aiy) = {y}- 

• T^iqxy) = {x,y}. 

— The transition function 6 : Q x S ^ 2^^ is as follows: 

• S{q,a) = {{q,qy},{qx,qxy]]- 

• = {{q,qx],{qy,qxy]]- 

• 6{qx,a) = {{qx,qxy]]- 

• ^{qxjb) — {{q j qx} j {qy j qxy } }• 

• b{qy,a) = {{q,qy},{q^,q^y}}. 

• b{qy yh) = {{qy , q^y}} ■ 

• b{q^y,a) = {{qx,qxy]]- 

• b{qxy,h) = {{qy^q^y}}. 

Consider, for example, the transition 6(q,a). As the process a controls only 
the value of*, and can change its value from false to true, the agent a 
can determine whether the next state of the system will be some rq' with 
X G T^(q') or some rq' with x Te{q'). It cannot, however, determine the 
value of y. Therefore, b{q, a) = {{g, qy}, {q^, qxy}}, letting a choose between 
{q,eqy} and {qx,qxy}, yet leaving the choice between q and rqy, in the Rrst 
case, and between q^ and q^y, in the second case, to process h. 

Consider the state q^- While the state rqy is a &-successor of q^, the state rqy is not 
an a-successor oirq^. Therefore, the state rqy is not a successor of q^: when the 
system is in state q^, the processes a and h cannot cooperate so that the system 
will move to rqy. On the other hand, the agents can cooperate so that the system 
will stay in state q^ or move to rq^y. By similar considerations, it follows that the 
infinite sequences rq, rq, q^, q^, q^, qfy and q, rqy, rqy, rqfy and rq, rqfy are three possible 
(/-computations of the ATS S^y 

Now suppose that process h can change y from false to true only when x 
is already true. The resulting ATS = {II, S,Q,'n',6') differs from S^y only 
in the transition function: 6'(rq,h) = {{q,rqx}}, and in all other cases 6' agrees 
with 6. While q,q,q^,qx,qx, ffy is a possible (/-computation of the ATS S'^y, the 
sequences q,qy,q,y, qfy and q, qfy are not. 

Third, suppose that process h can change y from false to true either when x 
is already true, or when simultaneously x is set to true. The transition function 
of the resulting ATS S'Jy = {II, S,Q,'it,6'') differs from 6 only in 6''{q,h) = 
{{?) Qx}, {?, Qxy}}- In state rq, if process h decides to leave y unchanged, it chooses 
the first option {q,rqx}. If, on the other hand, process h decides to change the 
value of y to true provided that x is simultaneously changed to true by process a, 
then h chooses the second option {rq, q^y}}. Then rq, rq, q^, q^, q^, qfy and q, rqfy are 
possible (/-computations of the ATS S'fy, while q, rqy, rqy, qfy is not. 

Finally, suppose we consider process h on its own. In this case, we have 
two agents, h and env, where env represents the environment, which may, in any 
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state, change the value of x arbitrarily. The resulting ATS S'”' = {II , S'” , Q, tt, 6'") 
has the set S'” = {h, euv} of agents and the following transition relation: 

- S'”(q, b) = S'”(q^,h) = {{g, q^}, {qy,qxy]]- 

- = ^"'{<lxy,h) = {{qy,qxy}}- 

- b'”{q, env) = S'”(qx,env) = 6”'(qy,env) = 6”'(qxy,env) = 

{{?) 9*/}) qxy} ) {qxj qxy} j {qx j qy}} ■ 

□ 

An ordinary labeled transition system, or Kripke structure, is the special case of 
an ATS where the set S = {sys} of agents is a singleton set. In this special case, 
the sole agent sys can always determine the successor state: for all states q ^ Q, 
the transition 6(q, sys) must contain a nonempty set of choices, each of which is 
a singleton set. 



2.2 Synchronous ATS 

In this section we present two special cases of alternating transition systems. 
Both cases correspond to a synchronous composition of agents. 



Turn-based synchronous ATS In a turn-based synchronous ATS, at every 
state only a single agent is scheduled to proceed and that agent determines the 
next state. It depends on the state which agent is scheduled. Accordingly, an 
ATS is turn-based synehronous if for every state q ^ Q, there exists an agent 
Gq ^ S such that 6(q, Oq) is a set of singleton sets and for all agents b G i7\{ag}, 
we have 6(q,b) = {Q}. Thus, in every state q only the agent Oq constrains the 
choice of the successor state. Equivalently, a turn-based synchronous ATS can 
be viewed as a 6-tuple S = {II, S, Q, tt, a, R), where a : Q ^ S maps each state 
q to the agent Oq that is scheduled to proceed at q, and R C Q x Q is a total 
transition relation. Then rq' is a successor of q iff R{q, q'). 

Example 2. Consider the ATS = (IT, S, Q, tt, 6) shown in Figure 1: 

— 11 = {out_of^ate, innate, request, grant}. 

— S = {train, ctr}. 

— Q = {90,91,92,93}- 

— • 7t(5o) = {out_of_gate}. 

• Tr(qi) = {out_of_gate, request}. 

• Tr(q 2 ) = {out_of_gate, grant}. 

• 7 ^( 53 ) = jin-gate}. 

— • S(qo, train) = {{go}, {9i}}- 

• (5(gi, ctr) = {{go}, { 91 }, { 92 }}- 

• S(q 2 , train) = {{go}, {gs}}- 

• S(q 3 , ctr) = {{go}, {gs}}- 

• S(qo, ctr) = S(qi, train) = S(q 2 , ctr) = S(q 3 , train) = {Q}. 
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Since is a turn-based synchronous ATS, its transition function 6 induces an 
assignment of agents to states: cr(qo) = cr( 52 ) = train and cr(qi) = criqs) = ctr. 
The ATS describes a protocol for a train entering a gate at a railroad crossing. At 
each moment, the train is either ouLof^ate or in_gate. In order to enter the gate, 
the train issues a request, which is serviced (granted or rejected) by the controller 
in the next step. After a grant, the train may enter the gate or relinquish the 
grant. The system has two agents: the train and the controller. Two states of 
the system, labeled ctr, are controlled; that is, when a computation is in one of 
these states, the controller chooses the next state. The other two states are not 
controlled, and the train chooses successor states. □ 



train ctr 




Fig. 1 . A train controller as a tnrn-based synchronons ATS 



Lock-step synchronous ATS In a lock-step synchronous ATS, the state space 
is the product of local state spaces, one for each agent. Then, in every state, all 
agents proceed simultaneously. Each agent determines its next local state, pos- 
sibly dependent on the current local states of the other agents but independent 
of the choices taken by the other agents. Accordingly, an ATS is lock-step syn- 
chronous if the following two conditions are satisRed: 

1. The state space has the form Q = Ua^i: Qa- Given a (global) state q ^ Q 
and an agent a G A, we write (/[a] for the component of q local to a. Then, 
assuming A = {ai, . . . , a„}, every state has the form q = (g[ai], . . . , (/[a„]). 

2. For every state q ^ Q and every agent a ^ a, there exists a set {qi, . . . , q^} C 
Qa of states local to a such that 6(q, a) = {Qi, . . . , Qk} for Qi = {q ^ Q \ 
g[a] = rji}. Thus, while the agent a can determine its next local state, it 
cannot determine the next local states of the other agents. 

Equivalently, the transition function 6 can be replaced by a set of local transition 
functions 6a '■ Q ^ 2'^“ , one for each agent a G A and all of them total. Then q' 
is a successor of q iff for all agents a G A, we have r/[a] G 6a{q). 
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Example 3. The ATS Sxy from Example 1 is lock-step synchronous. To see this, 
note that its state space Q = {ep ejx , Qy j Qxy} can be viewed as the product of 
Qa = {u,Ux} and Qj = {v,Vy} with q = {u,v), Qx = {ux,v), Qy = {u,Vy), and 
qxy = (ux, Vy). The local transition functions are as follows: 

- ^a{q) = ^a{qy) = {«, Ux}. 

^ ^a{qx) — ^a{qxy) — 

- 8i,{q) = 8i,{qx) = {v, Vy}. 

^ ^b{qy) — ^b{qxy) = {'C’j/}- 

Also the ATS S'xy from Example 1 is lock-step synchronous, but the ATS S'xy 
and S'xy are not. Eor S'xy, this is because the ability of process h to change the 
value of y depends on what process a does at the same step. □ 

2.3 Fair ATS 

When systems are modeled as ordinary transition systems, to establish liveness 
properties, it is often necessary to rule out certain inhnite computations that 
ignore enabled choices forever. Eor instance, in an asynchronous system consist- 
ing of many processes, we may like to restrict attention to the computations 
in which all the processes take inhnitely many steps. Such assumptions can be 
incorporated in the model by adding fairness conditions. Motivated by similar 
concerns, we dehne fairness conditions for ATS. 

A fairness eondiiion for the ATS S = (iT, E, Q, tt, 6) is a set of fairness con- 
straints for S, each dehning a subset of the transition function. More precisely, a 
fairness eonstraint for S' is a function 7 : Q x 27 ^ 2^ such that ^(q, a) C 8(q, a) 
for all states q ^ Q and all agents a G 27. As with ordinary transition systems, a 
fairness condition partitions the computations of an ATS into computations that 
are fair and computations that are not fair. We elaborate on two interpretations 
for fairness constraints. Consider a computation A = go, ?i, ? 2 , • • • of the ATS S, 
a fairness constraint 7 : Q x 27 ^ 2^ for S, and an agent a G 27. We say that 
7 is a-enahled at position i > 0 of A if 7 (gi, a) fx 0. We say that 7 is a-taken at 
position i of A if there exists a set Q' G j(rqi,a) such that gj_|_i G Q' . The two 
interpretations for fairness constraints are dehned with respect to a set A C 27 
of agents as follows: 

— The computation A is weakly {j,A)-fair if for each agent a G A, either there 
are inhnitely many positions of A at which 7 is not a-enabled, or there are 
inhnitely many positions of A at which 7 is a-taken. 

— The computation A is strongly {j,A)-fair if for each agent a G A, either 
there are only hnitely many positions of A at which 7 is a-enabled, or there 
are inhnitely many positions of A at which 7 is a-taken. With these standard 
dehnitions, strong fairness implies weak fairness. 

Now, given a fairness condition E for the ATS S and a set A C 27 of agents, the 
computation A is weakly /strongly {E, A)-fair if A is weakly /strongly ( 7 ,A)-fair 
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for all fairness constraints 7 G -T. Note that for every fairness condition F and 
every set A of agents, each prehx of a computation of S can be extended to 
a computation that is strongly (_T, j4)-fair. Note also that a computation A is 
weakly /strongly {F,Ai U j 42 )-fair, for Ai,A 2 C S, iff A is weakly /strongly both 
(-T, Ai)-fair and (_T, A 2 )-fair, 

Example /, Consider the ATS S^y from Example 1 and the fairness condition 
Fy = { 7 } with the fairness constraint j(q, h) = j(eqx, b) = {{ly, Qxy}} (we specify 
only the nonempty values of a fairness constraint). All computations of the ATS 
Sxy are strongly (T/, {a})-fair. However, only computations in which the value 
of the variable y is eventually true are weakly or strongly (T/, {&})-fair or, for 
that matter, (T/, {a, &})-fair. This is because, as long as the value of y is false, 
the ATS Sxy is either in state q or in state q^. Therefore, as long as the value of 
y is false, the fairness constraint 7 is &-enabled. Thus, in a fair computation, 7 
will eventually be &-taken, changing the value of y to true. □ 

As with ordinary transition systems, fairness enables us to exclude some com- 
putations of an ATS. In particular, fairness enables us to model asynchronous 
systems. 

Turn-based asynchronous ATS In a turn-based asynchronous ATS, at every 
state only a single agent determines the next state. However, unlike in a turn- 
based synchronous ATS, the state does not determine which agent is scheduled 
to proceed. Rather, a turn-based asynchronous ATS has a designated agent sch, 
which represents a seheduler. The scheduler sch proceeds at all states and de- 
termines one other agent to proceed with it. That other agent determines the 
next state. Fairness constraints are used to guarantee that the scheduling policy 
is fair. Accordingly, an ATS is turn-based asynehronous if there exists an agent 
sch G S and for every state q ^ Q and every agent a G A7\{sch}, there exists a 
local transition function 6a '■ Q ^ ‘2'^ such that the following four conditions are 
satisRed: 

1. For all states q ^ Q and all agents a,b ^ A7\{sch}, if a 7 ^ & then 6a(eq)r\6i,(rq) = 
0. We say that agent a is enabled in state q if 6a(eq) 7 ^ 0. 

2. For all states q ^ Q, we have 6(q,sch) = {6a(eq) \ the agent a G A7 \ {sch} 
is enabled in gj. That is, if the scheduler sch chooses the option 6a{q), the 
agent a is scheduled to proceed in state q. 

3. For all states q ^ Q and all agents a G A7 \ {sch} that are not enabled in q, 
we have 6(q,a) = {Q}. That is, if the agent a is not enabled, it does not 
influence the successor state. 

4. For all states q ^ Q and all agents a G A7 \ {sch} that are enabled in q, 
assuming 6a(q) = {qi, . . .,qk}, we have 6{q, a) = {(Q\6a(q))U{qi}, ■ ■ - ,(Q\ 
6a(q)) U {(/fc}}. That, if the agent a is enabled in state q, it chooses a suc- 
cessor state in 6a(eq) provided it is scheduled to proceed. If, however, a is 
not scheduled to proceed in q, then it does not influence the successor state, 
which must lie in Q \ 6a(eq) because of the first condition. 
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Equivalently, a turn-based asynchronous ATS can be viewed as a 6-tuple S = 
{n, S \ {sch}, Q, 7T, R, a), where R C Q x Q is a total transition relation, and 
a : R ^ i7\{s} maps each transition to an agent. Then 6a(q) = {q' G Q \ R(q, q') 
and cr(q,q') = a}. Note that, while in a turn-based synchronous ATS we label 
states with agents, in a turn-based asynchronous ATS we label transitions with 
agents. 

In order to ensure fairness of the scheduler, we impose a fairness condition 
r = { 7 a I a G A \ {sch}} with a turn-based asynchronous ATS. The fairness 
condition R contains a fairness constraint ja for each agent a different from sch, 
which ensures that the scheduler does not neglect a forever. For all states q ^ Q, 
we have ja(q,sch) = {i5a((;)} and for all agents h G A\{sch} (possibly h = a), we 
have ja(q, b) = 0. Then, a computation A is weakly {ja , {sch})-fair iff either there 
are inhnitely many positions of A at which the agent a is not enabled, or there 
are inhnitely many positions of A at which a is scheduled to proceed. Similarly, 
A is strongly {ja, {sch})-fair iff either there are only hnitely many positions of 
A at which the agent a is enabled, or there are inhnitely many positions of A at 
which a is scheduled to proceed. 

Example 5. As an example of a turn-based asynchronous ATS consider the mod- 
eling of the sender process of the alternating-bit protocol shown in Figure 2. 
There are two agents, the sender and the environment. In the initial state qo, 
only the sender is enabled, and it chooses either to stay in qo or to move to 
state qi. The transition from qo to qi corresponds to sending a message tagged 
with the bit 0. In state qi the sender is waiting to receive an acknowledgment. 
Both agents are enabled, and the scheduler chooses one of them. The sender, if 
scheduled to proceed in state qi, continues to wait. Each environment transitions 
correspond to the reception of an acknowledgment by the sender. If the acknowl- 
edgment bit is 0, the sender proceeds to toggle its bit by moving to state qo, and 
if the acknowledgment bit is 1, the sender attempts to resend the message by 
moving back to state qo- This phenomenon is modeled by letting the environ- 
ment, when scheduled in state qi, choose between qo and qo- State qi is similar 
to state qo, and qs is similar to qi. 

Formally, Q = {qo, qi, qo, 53 } and A = {sender, env, sch}. The set II contains 
four propositions: sendO is true in state qo, waitO is true in state q\, sendl is true 
in state qo, and waitl is true in state qo,. The local transition functions are as 
follows: 



^senderido) — {?0;?i} 

^ benviqo) = 0 - 

^ ^sender (di) ~ {Si}- 

^ benv(qi) = {?o,?2}- 

^ ^sender^d^) — {? 2 ,? 3 } 

^ benviq^) = 0 - 

^ ^sender (da) — {33}- 

^ benviqa) = {30,32}- 
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Fig. 2 . A send protocol as a turn-based asynchronous ATS 



These local transition functions induce the following transition function: 

- 6{qo,sch) = {{go,gi}}- 

- 6{qo, sender) = {{qo, Q2, qs} , {qi, Q2, qs}} ■ 

- 6{qo,env) = {{go, qi,q2, gs}}- 

- ( 5 (gi,sch) = {{gi},{go,g2}}- 

- 6{qi, sender) = {{qo,q 2 ,q 3 ,qi}}- 

- 6{qi,env) = {{qi , qs , qo} , {qi , qs , q2}} ■ 

- S{q2,sch) = {{g2,g3}}- 

- S{q2, sender) = {{go, gi, 52}, {go, gi, gs}}- 

- 6{q2,env) = {{go, gi, g2, gs}}- 

- S{q3,sch) = {{gs}, {go, g2}}- 

- S{q3, sender) = {{go, gi, go, gs}}- 

- S{q3, env) = {{gi, gs, go}, {gi, gs, go}}- 

The weak-fairness constraint 7eny ensures that if the sender is waiting in state 
gi or go, it will eventually receive an acknowledgment: 

- lenv{qi,sch) = Jenv{q 3 , sch) = {{go, go}} 

(we specify only the nonempty values of a fairness constraint). The assumption 
that the environment does not keep sending incorrect acknowledgments forever, 
which ensures progress of the protocol, can be modeled by a strong-fairness 
constraint 7': 

- 7'(gi,env) = {{gi, gs, go}}- 

- Y{q3,env) = {{gi, gs, go}}- 

□ 



3 Alternating-time Temporal Logic 

3.1 ATL Syntax 

The temporal logic ATL {Alternating -time Temporal Logie) is dehned with re- 
spect to a Rnite set II of propositions and a finite set S of agents. An ATL 
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formula is one of the following: 

(51) p, for propositions p ^ II . 

(52) -lip or ipiW ip2, where ip, p\, and are ATL formulas. 

(53) {{A))Op, ((A))n<^, or {{A))piUp 2 , where A C A is a set of agents, and p, 
pi, and p 2 are ATL formulas. 

The operator (( )) is a path quantifier, and O (“next”), □ (“always”), and U 
(“until”) are temporal operators. The logic ATL is similar to the branching-time 
temporal logic CTL, only that path quantihers are parameterized by sets of 
agents. Sometimes we write {{cii, . . . , a„)) instead of (({ai, . . . , a„})). Additional 
boolean connectives are dehned from -i and V in the usual manner. As in CTL, 
we write {{A))Op for [[A))trueUp. 



3.2 ATL Semantics 

We interpret ATL formulas over the states of a given ATS S that has the same 
propositions and agents. The labeling of the states of S with propositions is used 
to evaluate the atomic formulas of ATL. The logical connectives -i and V have 
the standard interpretation. To evaluate a formula of the form ((A))t/> at a state 
q of S, consider the following two-player game. The game proceeds in an inhnite 
sequence of rounds, and after each round, the position of the game is a state 
of S. The initial position is q. Now consider the game in some position u. To 
update the position, Rrst the protagonist chooses for every agent a G A, a set 
Qa G i5(m, a)- Then, the antagonist chooses a successor v of u such that v G Qa 
for all a G A, and the position of the game is updated to v. In this way, the game 
continues forever and produces a computation. The protagonist wins the game if 
the resulting computation satisfies the subformula t/>, read as a linear temporal 
formula whose outermost operator is O, □, or U . The ATL formula {{A))il> holds 
at the state q if the protagonist has a winning strategy in this game. 

In order to define the semantics of ATL formally, we first define the notion 
of strategies. Consider an ATS S = {II, S,Q,'n',6). A strateqy for an agent 
a G A is a mapping fa '■ Q"*" ^ 2*5 such that for all A G Q* and all g G Q, 
we have /a(A • rq) G 6(q,a). Thus, the strategy fa maps each finite prefix A • q 
of a computation to a set in 6(q, a). This set contains possible extensions of the 
computation as suggested to agent a by the strategy. Each strategy fa induces a 
set of computations that agent a can enforce. Given a state q, a set A of agents, 
and a set Fa = {fa \ a G A} of strategies, one for each agent in A, we define the 
outeomes of Fa from q to be the set out{q,FA) of all (/-computations that the 
agents in A can enforce when they cooperate and follow the strategies in Fa', that 
is, a computation A = qo, q\,q 2 , . . . is in out(q. Fa) if rqg = q and for all positions 
i > 0, the state rqi^i is a successor of qi satisfying qi+i G fa()^[f>, *])• 

We can now turn to a formal definition of the semantics of ATL. We write 
S,q \= p (“state q satisfies formula p in the structure S”) to indicate that the 
formula p holds at state q of S. When S is clear from the context we omit it 
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and write q \= cp. The relation ^ is defined, for all states q of S, inductively as 
follows: 

— For p ^ n , we have q \= p iS p ^ 

— q \= iff q ^ (f. 

— q \= (fii \/ p 2 "i-ii q \= Pi or q \= p 2 - 

— q \= ((j4))0‘jC’ iff there exists a set Fa of strategies, one for each agent in A, 
such that for all computations A G oui(q, Fa), we have A[l] ^ cp. 

— q \= iff there exists a set Fa of strategies, one for each agent in A, 

such that for all computations A G out{q,FA) and all positions i > 0, we 
have A[l] |= p. 

— q \= [[A))piUp 2 iff there exists a set Fa of strategies, one for each agent 
in A, such that for all computations A G out{q,FA) there exists a position 
i > 0 such that A[i] ^ p 2 and for all positions 0 < j < i, we have A[j] ^ pi. 

Note that the next operator O is local: q |= {{A))Op iff for each agent a ^ A 
there exists a set Qa G 6 (q, a) such that for each state q' G if q' i® a 

successor of q, then q' |= p. 

It is often useful to express an ATL formula in a dual form. For that, we use 
the path quantiher [A], for a set A of agents. While the ATL formula {{A))il> 
intuitively means that the agents in A can cooperate to make ip true (they 
can “enforce” t/>), the dual formula [AJi/i means that the agents in A cannot 
cooperate to make ip false (they cannot “avoid” ip). Using the path quantiher 
[ ], we can write, for a set A of agents and an ATL formula p, the ATL formula 
for the ATL formula -i((A))0-'<,c’, [A]n<,c> for -i((A))0-n,c>, and [A]0<,c> for 
-i(pA)) 0 -ip (similar abbreviations can be dehned for the dual of the U operator). 
Let us make this more precise. For a state q and a set A of (/-computations, we 
say that the agents in A can enforce the set A of computations if oui(q, Fa) C A 
for some set Fa of strategies for the agents in A. Dually, we say that the agents 
in A can avoid the set A of computations if T H out{q,FA) = 0 for some set 
Fa of strategies for the agents in A. If the agents in A can enforce a set A of 
computations, then the agents in A7 \ A cannot avoid A. Therefore, q |= {{A))ip 
implies (/ |= [A7 \ A]t/>. The converse of this statement is not necessarily true. 
To see this, consider S = {a,h}, 6 (q,a) = {{(/i, (/ 2 }, {? 3 , ? 4 }} and 6 (q,h) = 
{{qi, qs}, {q 2 , Qi}}, assuming each state qi satishes the proposition pi and no 
other propositions. Then q ^ {{a))0(pi V P 4 ) and q ^ [&]0(pi V P 4 ); that is, 
neither does a have a strategy to enforce 0(pi V P 4 ) nor does h have a strategy 
to avoid 0(pi V P 4 ). 

Example 6 . Recall the turn-based synchronous ATS S\ from Example 2. Recall 
that in a turn-based synchronous ATS, every state is labeled with an agent that 
determines the successor state. In this simplihed setting, to determine the truth 
of a formula with path quantiher ((A)), we can consider the following simpler 
version of the ATL game. In every state u, if the agent scheduled to proceed 
in u belongs to A, then the protagonist updates the position to some successor 




38 



R. Alur, T.A. Henzinger, and O. Kupferman 



of u, and otherwise, the antagonist updates the position to some successor of u. 
Therefore, every state of satishes the following ATL formulas: 

1. Whenever the train is out of the gate and does not have a grant to enter the 
gate, the controller can prevent it from entering the gate. 

(( ))D((out_of_gate A -<grant) {{ctr))Dout_of _gate) 

2. Whenever the train is out of the gate, the controller cannot force it to enter 
the gate. 

(( ))D(out_of_gate ^ [ctr]Dout_of^ate) 

3. Whenever the train is out of the gate, the train and the controller can coop- 
erate so the train will enter the gate. 

(( ))0(out_of_gate {{ctr, train)) Oin_g ate) 

4. Whenever the train is out of the gate, it can eventually request a grant for 
entering the gate, in which case the controller decides whether the grant is 
given or not. 

(( ))D(out_of_gate ^ {{train))0{request A {{{ctr)) O grant) A {{{ctr))D^grant)) 

5. Whenever the train is in the gate, the controller can force it out in the next 
step. 

(( ))D{in_gate ((ctr))Oout_of ^ate) 

These natural requirements cannot be stated in CTL or CTL*. Consider the hrst 
two ATL formulas. They provide more information than the CTL formula 

VO{out_of_gate -e- 30out_of_gate). 

While the CTL formula only requires the existence of a computation in which 
the train is always out of the gate, the two ATL formulas guarantee that no 
matter how the train behaves, the controller can prevent it from entering the 
gate, and no matter how the controller behaves, the train can decide to stay out 
of the gate. By contrast, since the train and the controller are the only agents 
in this example, the third ATL formula is equivalent to the CTL formula 

Vn {out_of_gate 30in_gate). 



□ 



Turn-based synchronous ATS It is worth noting that in the special case of a 
turn-based synchronous ATS, the agents in A can enforce a set A of computations 
iff the agents in A \ A cannot avoid A. Therefore, for all states g of a turn-based 
synchronous ATS, q |= {{A))'tp iff g |= [A \ AJ'tp, or equivalently, [A] = ((A \ A)). 
Due to this strong duality, over turn-based synchronous ATS, we can dehne the 
temporal operator □ from O: {{A))Oip = [A\ A]Di^ = -i[A]0-'i,c> = ->{{S \ 
A))0^(p. 
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Single-agent ATS Recall that a labeled transition system is an ATS with the 
single agent sys. In this case, which is a special case of turn-based synchronous, 
there are only two path quantihers: {{sys)) = [ ] and (( )) = [sys]. Then each 
set out{q, {fsys}) of outcomes contains a single (/-computation, and each set 
out{q, 0) of outcomes contains all (/-computations. Accordingly, the path quanti- 
Rers {{sys)) and (( )) are equal, respectively, to the existential and universal path 
quantifiers 3 and V of the logic CTL. In other words, over labeled transition 
systems, ATL is identical to CTL. We write, over arbitrary ATS, 3 for the path 
quantifier {{S)) , and V for the path quantifier [A]. This is because, regarding 3t/>, 
all agents can cooperate to enforce a condition ip iff there exists a computation 
that fulfills Ip, and regarding Vt/i, all agents cannot cooperate to avoid ip iff all 
computations fulfill ip. 

3.3 Fair-ATL 

Since fairness constraints rule out certain computations, in their presence we 
need to refine the interpretation of formulas of the form {{A))ip. In particular, in 
the Fair-ATL game we require the antagonist to satisfy all fairness constraints. 
This leads us to the following definition. The logic Fair-ATL has the same syntax 
as ATL. The formulas of Fair-ATL are interpreted over an ATS S, a fairness 
condition F tors', and a state q of S. The satisfaction relation S,F,q Lp 
(“state q fairly satisfies formula ip in the structure S with respect to fairness 
condition F”) for propositions and boolean connectives is defined as in the case 
of ATL. Moreover: 

— (/ {{A))Oip iff there exists a set Fa of strategies, one for each agent 
in A, such that for all {F, S \ A)-fair computations A G oui(q, Fa), we have 
A[l] \=F ip. 

— (/ 1= ((A)) iff there exists a set Fa of strategies, one for each agent in A, 
such that for all {F, A\A)-fair computations A G oui(q. Fa) and all positions 
i > 0, we have A[l] |= p. 

— q {{A))pi Up 2 iff there exists a set Fa of strategies, one for each agent 

in A, such that for all (T, A \ A)-fair computations A G out{q,FA) there 
exists a position i > 0 such that A[i] p 2 and for all positions 0 < j < i, 
we have A[j] \=p p\. 

Note that the path quantifier ((A)) ranges over the computations that are fair 
only with respect to the agents in A\A. To see why, observe that once F contains 
a fairness constraint 7 for which there exists an agent a G A such that j(q,a) 
is nontrivial for some state q (that is, 0 C j{q,a) C 6{q,a)), the agents in A 
can enforce computations that are not {F, A)-fair. The above definition assures 
that the agents in A do not accomplish their tasks in such a vacuous way, by 
violating fairness. 

Example 7. Consider the ATS from Example 2. Unless the controller coop- 
erates with the train, there is no guarantee that the train eventually enters the 
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gate: 



qq ^ ((train)) Oin_gate 



So suppose we add a fairness condition _Ti = {jctr} which imposes fair- 
ness on the control decisions in state qi, namely, 7ctr(si; ctr) = (all other 

values of '/dj- are empty). If we interpret '/dj- as a strong fairness constraint, 
then the train has a strategy to eventually enter the gate: 



qo \=F ((train)) Oin_gate 



To see this, whenever the train is in qo, let it move to qi. Eventually, due to 
the strong fairness constraint, the controller will move to qo- Then the train can 
move to (/ 3 . On the other hand, if we interpret Jotr ^ weak fairness constraint, 
cooperation between the train and the controller is still required to enter the gate, 
and the Fair-ATL formula is not satished in qo- To see this, note that the train 
cannot avoid the weakly (jctr^ {train, ctr})-fair computation qo, qi, qo, qi, ■ ■ ■ □ 



3.4 ATL* 

The logic ATL is a fragment of a more expressive logic called ATL*. There are 
two types of formulas in ATL*: state formulas, whose satisfaction is related to 
a specihc state, and path formulas, whose satisfaction is related to a specihc 
computation. Formally, an ATL* state formula is one of the following: 

(51) p, for propositions p ^ II . 

(52) -up or LpiW Lp2, where p, p\, and po are ATL* state formulas. 

(53) ((A))'il>, where A C A is a set of agents and ip is an ATL* path formula. 

An ATL* path formula is one of the following: 

(PI) An ATL* state formula. 

(P2) -lip or ipiV ip2, where ip, ipi, and ip2 are ATL* path formulas. 

(P3) Oip or ipiUip2, where ip, ipi, and ip2 are ATL* path formulas. 

The logic ATL* consists of the set of state formulas generated by the rules (Sl-3). 
The logic ATL* is similar to the branching-time temporal logic CTL*, only that 
path quantihcation is parameterized by agents. Additional boolean connectives 
and temporal operators are dehned from -i, V, O, and U in the usual manner; 
in particular, Oip = truellip and □?/> = -lO-np. As with ATL, we use the 
dual path quantiher \A\ip = -i((A))-np, and the abbreviations 3 = ((A)) and 
V = [A]. The logic ATL can be viewed as the fragment of ATL* that consists 
of all formulas in which every temporal operator is immediately preceded by a 
path quantiher. 

The semantics of ATL* formulas is dehned with respect to an ATS S. We 
write S', A \= ip to indicate that the path formula ip holds at computation A 
of the structure S. The satisfaction relation ^ is dehned, for all states q and 
computations A of S, inductively as follows: 




Alternating-Time Temporal Logic 



41 



— For state formulas generated by the rules (Sl-2), the dehnition is the same 
as for ATL. 

— q \= {{A)) Ip iff there exists a set Fa of strategies, one for each agent in A, 
such that for all computations A G oui(q, Fa), we have X \= ip. 

— X \= Lp for a state formula Lp iff A[0] |= p. 

— A 1= —it/> iff A ^ ip. 

— A |= t/>i V t /’2 iff A |= t/>i or A |= t/> 2 . 

— A |= Oip iff A[l, oo] 1= Ip. 

— A 1= t/>i Wt />2 iff there exists a position i > 0 such that A[i, oo] |= ip 2 and for 
all positions 0 < j < i, we have X[j, oo] |= ipi. 

For example, the ATL* formula 

{{a))((OOreq) V (□Ogrant)) 

asserts that agent a has a strategy to enforce computations in which only hnitely 
many requests are sent or inhnitely many grants are given. Such a requirement 
cannot be expressed in CTL* or in ATL. Since weak and strong fairness con- 
straints can be expressed within ATL* (provided appropriate propositions are 
available), there is no need for Fair-ATL*, 

Remark. In the dehnitions of ATL and ATL*, the strategy of an agent may 
depend on an unbounded amount of information, namely, the full history of the 
game up to the current state. When we consider Rnite ATS, all involved games 
are w-regular. Then, the existence of a winning strategy implies the existence of 
a wiimiiLg fimie-siaie strategy [RabTO], which depends only on a finite amount of 
information about the history of the game. Thus, the semantics of ATL and ATL* 
with respect to finite ATS can be defined, equivalently, using the outcomes of 
finite-state strategies only. This is interesting, because a strategy can be thought 
of as the parallel composition of the system with a controller, which makes 
sure that the system follows the strategy. Then, for an appropriate definition of 
parallel composition, finite-state strategies can be implemented using finite ATS. 
Indeed, for the finite reachability games and generalized Biichi games of ATL, 
it sufhces to consider memory-free strategies [EJ88], which can be implemented 
as control maps (i.e., controllers without state). This is not the case for ATL*, 
whose formulas can specify the winning positions of Streett games [Tho95]. 

4 Symbolic Model Checking 

4.1 ATL Symbolic Model Checking 

The model- checking problem for ATL asks, given an ATS S = (IT, F, Q, tt, 6) and 
an ATL formula p, for the set [p\ C Q of states of S that satisfy p. ATL Model 
checking is similar to CTL model checking [CE81, QS81, BCM+90]. We present 
a symbolic algorithm, which manipulates state sets of S. The algorithm is shown 
in Figure 3, and uses the following primitive operations: 
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— The function Sub, when given an ATL formula cp, returns a queue Sub(ip) of 
subformulas of Lp such that if p\ is a subformula of p and is a subformula 
of p\, then p 2 precedes p\ in the queue Sub(p). 

— The function Reg, when given a proposition p ^ U , returns the state set [p]. 

— The function Pre, when given a set A C 27 of agents and a set r C Q of 
states, returns the set containing all states q such that whenever S is in 
state q, the agents in A can cooperate and force the next state to lie in r. 
Formally, Pre(A, r) contains state g G Q iff for each agent a G A there exists 
a set Qa G 6(q, a) such that for each state q' G flagA if i® ^ successor 
of q, then q' G t. 

— Union, intersection, difference, and inclusion test for state sets. 



These primitives can be implemented using symbolic representations, such as 
binary decision diagrams, for state sets and the transition relation. If given a 
symbolic model checker for CTL, such as SMV [McM93], only the Pre operation 
needs to be modihed for checking ATL. In the special case that the ATS S is turn- 
based synchronous, the computation of the function Pre used in the symbolic 
model checking is particularly simple. Recall that in this case, cr(eq) denotes the 
agent that is scheduled to proceed in state q. Then, when given a set A of agents 
and a set r of states, Pre(A, r) returns the set containing all states q such that 
either cr(eq) G A and some successor of q is in r, or cr(eq) ^ A and all successors 
of q are in r. 



foreach p' in Sub(p) do 
case p' = p: \_p'\ := Reg(p) 
case p' = -^9\ [p'\ := [true\ \ [6^] 
case p' = 6i \/ 62'- [p'] := [di] U [62] 
case p' = {{A))C) 6 -. [p'] := Pre{A, [6i]) 
case p' = ((A)) □6': 
p := [true]; r := 

while p ^ T do p := p C\ r; r := Pre(A, p) fl [6^] od; 
[g'] := P 

case p' = ((A))6'i U 62 '- 
p := [false]; t := [92]; 

while T ^ p do p := p U r; r := Pre(A, p) fl [ 9 \] od; 

W] := P 

end case 
od; 

retnrn [p]. 



Fig. 3. ATL symbolic model checking 
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4.2 Fair-ATL Symbolic Model Checking 

We turn our attention to the model-checking problem for Fair-ATL: given an 
ATS S = {n, S, Q, IT, 6 ), a fairness condition F for S, and a Fair-ATL formula cp, 
compute the set [ip\p of states of S that fairly satisfy Lp with respect to F . We 
use the weak interpretation for F ; the case of strong fairness constraints can 
be handled similarly. Recall that to evaluate a formula of the form ((A)) t/>, we 
need to restrict attention to computations that satisfy all fairness constraints 
for agents not in A. To determine which fairness constraints are satisRed by 
a computation, we augment the state space by adding new propositions that 
indicate for each agent a G A and each fairness constraint 7, whether or not 7 
is a-enabled, and whether or not 7 is a-taken. For this purpose, we define the 
ATS Sp = {Ftp , F , Qp , TTp , 6 p): 

— For every agent a ^ S and every fairness constraint 7 G T, there is a 
new proposition {j, a, enabled) and a new proposition (j, a, taken): Flp = 
iT U (T X A X {enabled, taken}). 

— The states of Sp correspond to the transitions of S': Qp = {{q,q') | g' is a 
successor of q in S}. 

— For every state {q, q') G Qp and every agent a ^ S, the transition 6 p({q, q') , a) 
is obtained from 6 (q',a) by replacing each state q” appearing in 6 (q',a) by 
the state {q' , q"). For example, if 6 {qo, a) = {{gi, 52}, {Ss}}; then 

^F{{q, go), a) = {{(go, gi), (go, go)}, {(go, gs)}}- 

— For every state {q,q') G Qp, we have 

Fp{{q,q')) = TT(q)U {{j, a, enabled) \ j(q, a) ^ ^}U 

{(7, a, taken) | there exists Q' G 'y(q, a) such that q' G Q'}- 

Intuitively, a state of the form {q,q') in Sp corresponds to the ATS S being 
in state q with the agents deciding that the successor of q will be q' . There is 
a one-to-one correspondence between computations of S and Sp, and between 
strategies in S and Sp. The new propositions in A x A x {enabled, taken} allow 
us to identify the fair computations. Consequently, evaluating formulas of Fair- 
ATL over states of S can be reduced to evaluating, over states of Sp, ATL* 
formulas that encode the fairness constraints in F. 

Proposition!. A .state q of the AFS S fairly satisfies the Fair-AFL formula 
{{A))il> with respeet to the fairness eondition F iff for eaeh agent a ^ A, there 
exists a set Qa G 6 (q, a) sueh that for every sueeessor q' of q with q' G HagA 
the .state {q,q') of the AFS Sp satisfies the AFL* formula 

miv V V On((7, a, enabled) A ~^{j, a, taken))). 

'feP,aes\A 
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This proposition reduces Fair-ATL model checking to a special case of ATL* 
model checking. Rather than presenting the model-checking algorithm for full 
Fair-ATL, we consider the sample formula {{A))Op, for a proposition p. Consider 
the following game on the structure Sp- When a state labeled by p is visited, 
the protagonist wins. If the game continues forever, then the protagonist wins iff 
the resulting computation is not weakly (T, S \ A)-fair. The winning condition 
for the antagonist can therefore be specihed by the LTL formula 

□ (-.p A /\ 0(-i(7, a, enabled) V (7, a, taken))). 

'fer,aes\A 

This is a generalized Biichi condition. The set of winning states in such a game 
can be computed using nested Rxed points. To obtain an algorithm for this 
example, we note that the CTL* formula 3D(p A Ai<i<fc can be computed 
symbolically as the greatest Rxpoint 

vX.{p A 30 {pU{pi A pU{p2 A ... A pU{pk A A))))). 

Consequently, the algorithm of Figure 4 computes the set p Q Qp oi winning 
states for the protagonist. The function Prep is like Pre, but operates on the 
structure Sp. By Proposition 1, the first projection of p gives the desired set 
[((A))Op]f C Q of states in the original structure S. 



p := [true]; r := [“ip]; 

while p ^ T do 
p := p n r; 
foreach 7 G C do 

foreach a £ E \ A do 

p" := [p] n [[[true] \ Reg[[~f, a, enabled))) U Reg[[~f, a, taken))); 
p' := [false]; t := [p] Pi p”; 

while t' g p' do p' := p' U r'; r' := Prep[E \ A, p') fl [“'p]) od; 
/ 

p := T ; 

od 

od; 

T := Prep[E \ A, p) Pi [-ip] 

od; 

return p := [true] \ r 



Fig. 4. Nested fixed-point computation for Fair-ATL symbolic model checking 



5 Model-checking Complexity 

We measure the complexity of the model-checking problem in two different ways: 
the joint complexity of model checking considers the complexity in terms of 
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both the structure and the formula; the structure complexity of model checking 
(called “program complexity” in [VW86a]) considers the complexity in terms 
of the structure, assuming the formula is hxed. Since the structure is typically 
much larger than the formula, and its size is the most common computational 
bottle-neck [LP85], the structure-complexity measure is of particular practical 
interest. 

5.1 ATL Model-checking Complexity 

Theorem 2. The model-checking problem for ATL is PTIME-complete, and can 
be solved in time 0{m£) for an ATS with m transitions and an ATL formula of 
length £. The structure complexity of the problem is also PTLME-complete, even 
in the special case of turn-based synchronous ATS. 

Proof: Consider an ATS S with m transitions and an ATL formula Lp of length 

1. We claim that the algorithm presented in Figure 3 can be implemented in 
time 0(m£). To see this, observe that the size of Sub(ip) is bounded by £, and 
that executing each of the case statements in the algorithm involves, at most, 
a calculation of a single hxed point, which can be done in time linear in m 
(see [Cle93]). Since reachability in AND-OR graphs is known to be PTIME-hard 
[Imm81], and can be specihed using the hxed ATL formula ((a)) Op interpreted 
over a turn-based synchronous ATS, hardness in PTIME, for both the joint and 
the structure complexity, is immediate. □ 

It is interesting to compare the model-checking complexities of turn-based syn- 
chronous ATL and CTL. While the two problems can be solved in time 0{m£) 
[CES86], the structure complexity of CTL model checking is only NLOGSPACE- 
complete [BVW94]. This is because CTL model checking is related to graph 
reachability, whereas turn-based synchronous ATL model checking is related to 
AND-OR graph reachability. 

5.2 Fair- ATL Model-checking Complexity 

As in Section 4.2, we consider the case of fairness constraints. 

Theorems. The model-checking problem for Eair-ATL is PTLME-complete, 
and can be solved in time 0{rrS rP" £) for a fair ATS with m transitions and n 
agents, c weak fairness constraints, and an ATL formula of size £. The structure 
complexity of the problem is also PTLME-complete. 

Proof: Consider an ATS S with m transitions, n agents, and c weak fairness 

constraints. Let p be a Fair-ATL formula. Each state of S is labeled with each 
subformula of Lp, starting with the innermost subformulas. Let us consider the 
case corresponding to a subformula of the form {{A))06 (the cases corresponding 
to □ and U are similar). As described in Section 4.2, we Rrst construct the ATS 
S', and the truth of {{A))06 can be evaluated by solving a generalized Biichi 
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game over the structure S'. The number of transitions in S' equals m. Note 
that the winning condition for the antagonist corresponds to visiting, for each 
fairness constraint 7 and each agent a ^ A, inhnitely often a state satisfying 
{j,a, taken) V a, enabled). Thus, there are cn Biichi constraints. Since the 
complexity of solving Biichi games is quadratic (use the nested hxed-point com- 
putation of Figure 4), the cost of processing a temporal connective is 0{rrS rS . 
This concludes the upper bound. Since the model-checking problem for ATL is a 
special case of the model-checking problem for Fair- ATL (with T = 0), hardness 
in PTIME follows from Theorem 2. □ 



5.3 ATL* Model-checking Complexity 

We have seen that the transition from CTL to ATL does not involve a substantial 
computational price. In this section we consider the model-checking complexity 
of ATL*. While there is an exponential price to pay in model-checking complex- 
ity when moving from CTL to CTL*, this price becomes even more signihcant 
(namely, doubly exponential) when we consider the alternating-time versions of 
both logics. 

Before we discuss ATL* model checking, let us briefly recall CTL* model 
checking [EL85]. The computationally difhcult case corresponds to evaluating a 
state formula of the form 3t/>, for an LTL formula t/>. The solution is to con- 
struct a Biichi automaton A that accepts all computations that satisfy t/>. To 
determine whether a state q satisRes the formula 3t/>, we need to check if some 
(/-computation is accepted by the automaton A, and this can be done by an- 
alyzing the product of A with the structure. The complexity of CTL* model 
checking reflects the cost of translating LTL formulas to w-automata. In case 
of an ATL* state formula ((A))t/>, the solution is similar, but requires the use 
of tree automata, because satisfaction corresponds to the existence of winning 
strategies. Therefore, model checking requires checking the nonemptiness of the 
intersection of two tree automata: one accepting trees in which all paths satisfy 
t/>, and the other accepting trees that correspond to possible strategies of the 
protagonist. 

In order to solve the model-checking problem for ATL*, we first define the 
notion of execution trees. Consider an ATS S, a set A of agents, and a set 
Fa = {fa I a G A} of strategies for the agents in A. For a state q of S, the 
set out{q,FA) of (/-computations is fusion-closed, and therefore induces a tree 
exec{q, Fa). Intuitively, the tree exec{q, Fa) is obtained by unwinding S starting 
from q according to the successor relation, while pruning subtrees whose roots 
are not chosen by the strategies in FA. Formally, the tree exec{q,FA) has as 
nodes the following elements of Q * : 

— (/ is a node (the root). 

— For a node X ■ q' ^ Q* , the successor nodes (children) of X ■ q' are all strings 

of the form X ■ q' ■ q" , where q" is a successor of q' and q" G fa{X ■ q'). 
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A tree t is a [q, A) -execution tree if there exists a set Fa of strategies, one for 
each agent in A, such that t = exec{q, Fa)- 

Theorem 4. The model-checking problem for ATL* is 2EXPTIME-complete, 
even in the special case of turn-based synchronous ATS. The structure complexity 
of the problem is PTIME-complete. 



Proof: Consider an ATS S and an ATL* formula cp. As in the algorithm for 

CTL* model checking, we label each state g of S' by all state subformulas of Lp that 
are satisRed in q. We do this in a bottom-up fashion, starting from the innermost 
state subformulas of p. For subformulas generated by the rules (Sl-2), the label- 
ing procedure is straightforward. For subformulas p' generated by (S3), we em- 
ploy the algorithm for CTL* module checking [KV96] as follows. Let p' = [[A))'il>] 
since the satisfaction of all state subformulas of ip has already been determined, 
we can assume that ip is an LTL formula. We construct a Rabin tree automaton 
Ayj that accepts precisely the trees satisfying the CTL* formula Vt/i, and for each 
state q of S, we construct a Buchi tree automaton As,q,A that accepts precisely 
the (g, A)-execution trees. The automaton Ay has 2^ states and Ra- 

bin pairs [ES84]. The automaton As,q,A has |Q| states. The product of the two 
automata Ay and As,q,A is a Rabin tree automaton that accepts precisely the 
(g, A)-execution trees satisfying Vt/i. Hence, q |= {{A))ip iff the product automa- 
ton is nonempty. The nonemptiness problem for a Rabin tree automaton with n 
states and r pairs can be solved in time 0(nr)^^ [EJ88, PR89a]. Hence, labeling 
a single state with p' requires at most time (IQj • 2^''*')^ = |Qp *''*'*. Since 

there are |Q| states and at most \p\ subformulas, membership in 2EXPTIME 
follows. 

For the lower bound, we use a reduction from the realizability problem for 
LTL [PR89a], which is shown to be 2EXPTIME-hard in [Ros92]. In this problem, 
we are given an LTL formula ip over a set El of propositions and we determine 
whether there exists a turn-based synchronous ATS S with two agents, sys and 
env, such that 



1. the transitions in S alternate between sys states and env states, 

2. every env state has 2^ successors, each labeled by a different subset of 2^ , 
and 

3. some state of S satisfies {{sys))^). 

Intuitively, a state of S that satisfies ((sys))t/> witnesses a strategy of the system 
to satisfy ip irrespective of what the environment does. Let Sjj be the maximal 
two-agent turn-based synchronous ATS over II that alternates between sys and 
env states: 



Sn = (iT, {sys,env},2^x{s,e},7r,(T, (2^x{s})x(2^x{e})U(2^x{e})x(2^x{s})), 

where for every w C II , we have 7t((w,s)) = 7r((w,e)) = w, a({w,s)) = {sys}, 
and cr({w, e)) = {env}. It is easy to see that ip is realizable iff there exists some 
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state in Sjj that satisfies ((sys))t/>. Since the 2 EXPTIME lower bound holds 
already for LTL formulas with a hxed number of propositions, the size of Sjj is 
Rxed, and we are done. 

The lower bound for the structure complexity of the problem follows from 
Theorem 2 , and the upper bound follows from fixing |t/>| in the complexity anal- 
ysis of the joint complexity above. □ 

6 Beyond ATL* 

In this section we suggest two more formalisms for the specification of open 
systems. We compare the two formalisms with ATL and ATL* and consider 
their expressiveness and their model-checking complexity. Given two logics Li 
and L2, we say that the logic Li is as expressive as the logic L2 if for every 
formula Lp2 of L2, there exists a formula Lpi of L\ such that Lpi and Lp2 are 
equivalent (i.e., they are true in the same states of each ATS). The logic L\ is 
more expressive than L2 if L\ is as expressive as L2 and L2 is not as expressive 
as L\ . 



6.1 The Alternating-time //-Calcnlns 

The formulas of the logic AMC {Alter noting -time fi-Caleulus) are constructed 
from propositions, boolean connectives, the next operator O, each occurrence 
parameterized by a set of agents, as well as the least fixed-point operator pi. 
Eormally, given a set U of propositions, a set V of propositional variables, and 
a set S of agents, an AMC formula is one of the following: 

— p, for propositions p ^ II . 

— X , for a propositional variables X ^ V . 

— -ly or LpiW Lp2, where y, ipi, and ip2 are AMC formulas. 

— ((A)) Oy, where A C A is a set of agents and ip is an AMC formula. 

— pX.ip, where ip is an AMC formula in which all free occurrences of X (i.e., 
those that do not occur in a subformula of p starting with pX) fall under 
an even number of negations. 

The logic AMC is similar to the //-calculus of [Koz 83 ], only that the next operator 
O is parameterized by sets of agents rather than by a universal or an existential 
path quantifier. Additional boolean connectives are defined from -1 and V in the 
usual manner. As with ATL, we use the dual [A]Oy = -<{{A)) 0 -<p, and the 
abbreviations 3 = ((A)) and V = [A]. As with the //-calculus, we write vX.p 
to abbreviate -<pX.-<p. Using both the greatest fixed-point operator v, the dual 
next operator [A] 0 , and the connective A, we can write every AMC formula in 
positive normal form, where all occurrences of -1 are in front of propositions. An 
AMC formula p is alternation free if when p is written in positive normal form, 
there are no occurrences of v (resp. //) on any syntactic path from an occurrence 
of pX (resp. vX) to an occurrence of A. Eor example, the formula pX.{p\/ 
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nY.(X\/{{a))OY j) is alternation free; the formulai^X./tY.((pAX)V((a))OY) is not. 
The alt email on- free fragment of AMC contains only alternation-free formulas. 

We now turn to the semantics of AMC. We hrst need some dehnitions and 
notations. Given an ATS S = a valuation V is a function from 

the propositional variables V to subsets of Q. For a valuation V, a propositional 
variable X , and a set Q' C Q of states, we denote by V[X := Q'\ the valuation 
that maps X to Q' and agrees with V on all other variables. An AMC formula 
Lp is interpreted as a mapping from valuations to state sets. Then, {V) 
denotes the set of states that satisfy the AMC formula p under the valuation V. 
The mapping p^ is dehned inductively as follows: 

— For a proposition p ^ II , we have p'®(V) = {q ^ Q \ p ^ ^(s)}- 

— For a propositional variable X EV , we have A'®(V) = V{X). 

- {^pf{V) = Q\p^V). 

- ip^Vp2fiV) = pfiV)UpliV). 

— (((A))0‘jC’)'®(V) = {g E Q \ for each agent a E A, there exists a set Qa E 

6(q, a) such that for each state rq' E if q' i® ^ successor of q, then 

- ipX.pfiV) = niO' C Q I ^^(V[A := Q']) C 0'}. 

Consider an AMC formula of the form pX.p. Then, given a valuation V, the 
subformula p can be viewed as a function y that maps each state set Q' Q Q 
to the state set p^ {V[X := Q']). Since all free occurrences of X fall under 
an even number of negations, the function y is monotonic; that is, if Q' C 
Q" , then h^y(Q) C h^^{Q"). Consequently, by standard Rxed-point theory, 
the function g has a least Rxed-point, namely, ^ Q I P^ {'V[X := 

Q'f) C Q'}. Furthermore, if each state has only Rnitely many successor states, 
the function y is continuous, and the least Rxed-point can be computed by 
iterative approximation starting from X = [false]: 

ipX.pfiV) = Oih^lvyilfalse]). 

8>0 

If the ATS S has only Rnitely many states, the intersection is Rnite, and the 
iterative approximation converges in a Rnite number of steps. 

A sentenee of AMC is a formula that contains no free occurrences of propo- 
sitional variables. Sentences p deRne the same mapping p^ for any and all valu- 
ations. Therefore, for a state q of S and a sentence p, we write S,q \= p (“state 
q satisRes formula p in structure S'”) q E p^ ■ For example, the AMC formula 
pX.(q V (p A ((A))OX)) is equivalent to the ATL formula ((A))pUq. 



AMC expressiveness All temporal properties using the always and until op- 
erators can be deRned as Rxed points of next-time properties. For closed systems, 
this gives the //-calculus as a generalization of temporal logics. It is known that 
the //-calculus is more expressive than CTL*, and the alternation-free //-calculus 
is more expressive than CTL. Similarly, and for the same reasons, AMC is more 
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expressive than ATL*, and its alternation-free fragment is more expressive than 
ATI. 

Theorems. AMC is more expressive than ATL*. The alternation- free fragment 
of AMC IS more expressive than ATL. 

Proof: The translation from alternating-time temporal logics to AMC is very 
similar to the translation from branching-time temporal logics to //-calculus [EL86] , 
with ((A)) O replacing 30. We describe here the translation of ATL formulas to 
the alternation-free fragment of AMC. For this, we present a function 

g : ATL formulas ^ alternation-free AMC formulas 

such that for every ATL formula cp, the formulas Lp and g{p) are equivalent. The 
function g is dehned inductively as follows: 

— For p G iT, we have g(p) = p. 

- 

- g(pi V P 2 ) = giTi) V g{p2)- 

- g{{{^))OT) = ((A)) Op (V). 

- fi'(((-4))n^) = i 2 X.{g{p) A ((A))OA). 

- g{{{^))Ti^T2) = pX.{f{p2) V (p(pi) A ((A))OA)). 

To establish that AMC is more expressive than ATL*, and its alternation- 
free fragment is more expressive than ATL, note that for a single-agent ATS, 
(alternation-free) AMC is the same as the (alternation-free) //-calculus, CTL* is 
the same as ATL*, and CTL is the same as ATL. □ 

The alternating-time //-calculus, however, is not a natural and convenient speci- 
Rcation language for reasoning about open systems. Writing and understanding 
formulas in the //-calculus is hard already in the context of closed systems, and 
in practice, designers avoid the nonintuitive use of fixed points and prefer simple 
temporal operators (see [BBG"*"94]). Using AMC as a specification language for 
open systems would require even more complicated formulas, with extra nest- 
ing of fixed points, making the //-calculus even less appealing. So, just as CTL 
and CTL* capture useful and friendly subsets of the //-calculus for the specifi- 
cation of closed system, ATL and ATL* capture useful and friendly subsets of 
AMC for the specification of open systems. This is because ATL and ATL* have 
as primitives parameterized path quantifiers, not just parameterized next-time 
operators. 

AMC model checking Algorithms and tools for //-calculus model checking 
can be easily modified to handle AMC. Indeed, the only difference between the 
//-calculus and AMC is the definition of the next operator, which has a game-like 
interpretation in AMC. Hence, as in Section 4.1, the modification involves only 
the Pre function. Therefore, the complexity of the model-checking problem for 
the //-calculus [EL86] implies the following. 
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Theorem 6. The model-checking problem for the alternation-free fragment of 
AMC can be solved in time 0{m£) for an ATS with m transitions and a formula 
of size £. The model- checking problem for AMC can be solved in time 
for an ATS with m transitions and an formula of alternation depth d > 1. 



AMC and propositional logic of games In [Par83], Parikh defines a propo- 
sitional logic of games. Parikh’s logic extends dynamic logics (e.g., PDL [FL79]) 
in a way similar to the way in which AMC extends the /t-calculus. The for- 
mulas in Parikh’s logic are built with respect to a set of atomic games, which 
correspond to the choices of agents in an ATS. Cooperation between agents and 
Rxed-point expressions are specified in Parikh’s logic by the usual PDL opera- 
tions, such as disjunction and iteration, on games. The alternation-free fragment 
of AMC can be embedded into Parikh’s logic. For example, the AMC formula 
fjiX.pW {{a,h))OX corresponds to the formula ((a V h)*)p in Parikh’s logic. In 
[Par83], Parikh’s logic is shown to be decidable and a complete set of axioms is 
given; the model-checking problem is not studied. 

6.2 Game Logic 

The parameterized path quantifier {{A)) first stipulates the existence of strategies 
for the agents in A and then universally quantifies over the outcomes of the 
stipulated strategies. One may generalize ATL and ATL* by separating the two 
concerns into strategy quantifiers and path quantifiers, say, by writing 3A.V 
instead of {{A)) (read 3 A as “there exist strategies for the agents in A”). Then, 
for example, the formula p = 3A.(3Di^i A 3D 1 ^ 2 ) asserts that the agents in 
A have strategies such that for some behavior of the remaining agents, cpi is 
always true, and for some possibly different behavior of the remaining agents, 
ip 2 is always true. 

We refer to the general logic with strategy quantifiers, path quantifiers, tem- 
poral operators, and boolean connectives as game logic (CL, for short). There 
are three types of formulas in CL: state formulas, whose satisfaction is related 
to a specific state of the given ATS S, tree formulas, whose satisfaction is re- 
lated to a specific execution tree of S (for the definition of execution trees, recall 
Section 5.3), and path formulas, whose satisfaction is related to a specific com- 
putation of S. Formally, a GL state formula is one of the following: 

(51) p, for propositions p ^ II . 

(52) -up or LpiW Lp 2 , where p, p\ and p 2 are GL state formulas. 

(53) 3A.0, where A C A is a set of agents and 6 * is a GL tree formula. 

A GL tree formula is one of the following: 

(Tl) p, for a GL state formula p. 

(T2) -10 or 6*1 V 6 * 2 , where 9, 61 and 62 are GL tree formulas. 

(T3) 3 t/>, where t/> is a GL path formula. 
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A GL path formula is one of the following: 

(PI) 6, for a GL tree formula 6. 

(P2) -lip or ipiV ip 2 , where ip, ipi, and ip 2 are GL path formulas. 

(P3) Oip or ipiUip 2 , where ip, ipi, and ip 2 are GL path formulas. 

The logic GL consists of the set of state formulas generated by the rules (Sl- 
3). For instance, while the formula Lp from above is a GL (state) formula, its 
subformula 3D A 3D is a tree formula. 

We now dehne the semantics of GL. We write S,q ^ to indicate that the 
state formula Lp holds at state q of the structure S. We write S,t |= 6* to indicate 
that the tree formula 6 holds at execution tree t of the structure S. We write 
S', t, A ^ Ip to indicate that the path formula ip holds at inhnite path A of the 
execution tree t of the structure S (note that in this case, A is a computation 
of S). If t is an execution tree of S, and A is a node oft, we write t(A) for the 
subtree of t with root A. The satisfaction relation ^ is dehned inductively as 
follows: 

— For formulas generated by the rules (Sl-2), the dehnition is the same as for 
ATL. For formulas generated by the rules (T2) and (P2), the dehnition is 
obvious. 

— q \= 3 A. 6* iff there exists a set Fa of strategies, one for each agent in A, so 
that exec(q,FA) \=6- 

— t \= p for a state formula p iS q \= p, where q is the root of the execution 
tree t. 

— t \= 3t/> for a path formula ip iff there exists a rooted inhnite path A in t such 
that t, X 1= Ip. 

— t, X \= 6 for a tree formula 6* iff t ^ 6*. 

— t,X\= Oip iff t{X[0, 1]), A[f, oo] ^ Ip, 

— t, X \= ipiUip 2 iS there exists a position i > 0 such that t(A[0, i]), A[i, oo] |= ip 2 
and for all positions 0 < j < i, we have t(A[0, j]), X[j, oo] |= ipi. 



GL expressiveness The logic ATL* is the syntactic fragment of GL that con- 
sists of all formulas in which every strategy quantiher is immediately followed 
by a path quantiher (note that 3A. 3 is equivalent to 3). Since the formula 
3A. (3Dp A 3n q) is not equivalent to any ATL* formula, GL is more expressive 
than ATL*. 

Another syntactic fragment of GL is studied in module checking [KV96]. 
There, one considers formulas of the form 3A. 9, with a single outermost strat- 
egy quantiher followed by a GTL or GTL* formula 9. Since the GL formula 
{{Ai)) 0 {{A 2 )) 0 p is not equivalent to any formula with a single outermost strategy 
quantiher, GL is more expressive than module checking. Furthermore, from an 
expressiveness viewpoint, alternating-time logics and module checking identify 
incomparable fragments of game logic. In [KV96], it is shown that the module- 
checking complexity is EXPTIME-complete for GTL and 2EXPTIME-complete 
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for CTL*, and the structure complexity of both problems is PTIME-complete. 
Hence, from a computational viewpoint, ATL is advantageous. 

GL model checking The model-checking problem for CTL* can be solved by 
repeatedly applying, in a bottom-up fashion, an LTL model-checking proce- 
dure on subformulas [EL85]. The same technique can be used in order to solve 
the model-checking problem for GL by repeatedly applying the CTL* module- 
checking algorithm from [KV96]. The complexity of CTL* module checking then 
implies the following. 

Theorem 7. The model-checking problem for GL is 2EXPTIME-complete. The 
structure complexity of the problem is PTIME-complete. 

Thus, game logic is not more expensive than ATL*. We feel, however, that unlike 
state and path formulas, tree formulas are not natural specihcations of reactive 
systems. 

7 Incomplete Information 

According to our dehnition of ATL, every agent has complete information about 
the state of an ATS. In certain modeling situations it may appropriate, however, 
to assume that an agent can observe only a subset of the propositions. Then, the 
strategy of the agent can depend only on the observable part of the history. In this 
section we study such agents with incomplete information. Using known results 
on multi-player games with incomplete information, we show that this setting 
is much more complex than the setting with complete information. Our main 
result is negative: we show that the ATL model-checking problem is undecidable 
for cooperating agents with incomplete information. We state this result for our 
weakest version of ATS, namely, turn-based synchronous ATS. 

7.1 ATS with Incomplete Information 

A turn-based synchronous ATS with incomplete information is a pair (S,P) 
consisting of a turn-based synchronous ATS S = {II, E, Q, tt, a, R) and a vector 
P = {Ila I Cl G E} that contains sets Ila C II of propositions, one for each 
agent in E. The observability vector P dehnes for each agent a the set Ila of 
propositions observable by a. Consider an agent a ^ E. Eor a state q ^ Q , 'Ne 
term ir{q) C Ila the a-view of q. We write Qa = 2^“ for the set of possible 
a-views, and iCa '■ Q ^ Qa for the function that maps each state to its a- 
view. The function TCa is extended to computations of S in the natural way: if 
A = go, gi, 32 , • • •, then 7Ta(A) = TCa{qo), 7Ta(gi), 7Ta(g2), • • • Two states q and g' are 
a-stable if 7r(g) \ TCa{q) = T^{q') \ '^a(q')', that is, g and g' agree on all propositions 
that a cannot observe. We require that the transition function of a can influence 
only propositions that a can observe and is independent of propositions that a 
cannot observe. Eormally, we require that the following two conditions hold for 
all agents a ^ E and all states qi,q'i,q 2 G Q- 




54 R. Alur, T.A. Henzinger, and O. Kupferman 

1. If cr(qi) = a and R(qi, q[), then qi and q[ are a-stable. 

2. If cr(qi) = cr(q 2 ) = a and iTaiqi) = T^a{q 2 ) and R(qi, q[), then for every state 

q '2 such that TTaiq'i) ~ and q 2 and q '2 are a-stable, we have R{q 2 ,q' 2 )- 

In other words, the transition function of agent a maps each a-view of a state in 
which a is scheduled into a set of a- views of possible successor states. Accordingly, 
we dehne the relation Ra C Qa x Qa such that Ra(v,v') iff for any and all a- 
stable states q and q' with cr(q) = a and iTa(q) = v and iTa(q') = v' , we have 
R{qi,q2)- 

7.2 ATL with Incomplete Information 

When we specify properties of an ATS with incomplete information using ATL 
formulas, we restrict ourselves to a syntactic fragment of ATL. To see why, con- 
sider the ATL formula {{a))Op for p ^ II a- The formula requires agent a to 
have a strategy to eventually reach a state in which the proposition p, which a 
cannot observe, is true. Such a requirement does not make sense. Consequently, 
whenever a set of agents is supposed to attain a certain task, we require that 
each agent in the set can observe the propositions that are involved in the task 
(this includes all propositions that appear in the task as well as all propositions 
that are observable by agents appearing in the task). Formally, given an ob- 
servability vector P, we dehne for each ATL formula p the set invp(cp) C II of 
involved propositions. The dehnition proceeds by induction on the structure of 
the formula: 

— For p G IT, we have invp(p) = {p}. 

— invp{-ep) = arg(ip). 

— invp(ipi V P2) = invp(cpi) U invp(ip2)- 

- invp{{{A))Op) = invpip) U Ra- 

- inv p{{{A))Uip) = invp{ip) U 

- invp{{{A))Lpi Up 2 ) = invp{(f 2 ) U invp{(f 2 ) U Ra- 

The ATL formula p is well-formed with respect to the observability vector P if 
the following two conditions hold: 

1. For every subformula of p of the form {{A))O0 or ((A))n6* and for every agent 
a G A, we have invp(6) C Ra- 

2. For every subformula of p of the form {{A))6i 1102 and for every agent a G A, 
we have inv{0i) U inv{02) C Ra- 

Note that if the formula {{A))il> is well-formed, then each agent in A can observe 
all propositions that are observable by agents appearing in t/>, but it may not be 
able to observe some propositions that are observable by other agents in A. 

When we interpret an ATL formula p over a turn-based synchronous ATS 
(S', P) with incomplete information, we require p to be well-formed with respect 
to P. The dehnition of the satisfaction relation is as in the case of complete 
information (see Section 3.2), except for the following dehnitions of strategies 
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and outcomes. Now, a strategy for an agent a G is a mapping fa '■ Qf Qa 
such that for all x £ (2“^“)* and v, v' G Ua, we have Ra{v, v'). Thus, the strategy 
fa maps each a-view of a hnite computation prehx to the a-view of a possible 
successor state. Given a state g £ Q, a set A C S of agents, and a set Fa = {fa \ 
a G A} of strategies, one for each agent in A, a computation A = qo, q\,q 2 , ■ ■ ■ is 
in an outcome in out{q,FA) if qo = q and for all positions i > 0, if eriqi) £ A, 
then TTa{qi+i) = /a(7Ta(A[0, j])) for a = a{qi). Thus, for example, q ^ {{A))Oip iff 
either cr(eq) £ A and there exists a a(rq)-view v C Ila(q) such that for all states 
rq' with R(q, q') and = "v, we have q' |= Lp, or <T{q) A and for all states 

q' with R(q, q'), we have q' |= p. 

Theorems. The model-checking problem for ATL with incomplete information 
IS undecidahle, even in the special case of turn-based synchronous ATS. 

Proof: The outcome problem for multi-player games with incomplete infor- 

mation has been proved undecidable by [Yan97]. This problem is identical to 
the model-checking problem for the ATL formula {{A))Op on a turn-based syn- 
chronous ATS with incomplete information. □ 

We note that for Fair-ATL, proving undecidability is easier, and follows from 
undecidability results on asynchronous multi-player games with incomplete in- 
formation [PR79, PR90]. 

7.3 Single-agent ATL with Incomplete Information 

Single-agent ATL is the fragment of ATL in which every path quantiher is pa- 
rameterized by a singleton set of agents. In this case, where agents cannot coop- 
erate, the model-checking problem is decidable also for incomplete information. 
There is an exponential price to be paid, however, over the setting with complete 
information. 

Theorem 9. The model-checking problem for single-agent ATL with incomplete 
information is EXPTIME-complete. The structure complexity of the problem is 
also EXPTIME-complete, even in the special case of turn-based synchronous 

ATS. 

Proof: We start with the upper bound. Given a turn-based synchronous ATS 
(S', P) and an ATL formula cp, well formed with respect to P , we label the states 
of S by subformulas of p, starting as usual from the innermost subformulas. 
Since p is well-formed with respect to P , for each subformula of the form {{a))ip, 
the agent a can observe all labels that correspond to subformulas of ((a)) t/>, and 
we refer to these labels as observable propositions. For subformulas generated 
by the rules (Sl-2), the labeling procedure is straightforward. For subformulas 
generated by (S3), we proceed as follows. Given a state q of S, and a well-formed 
ATL formula p' of the form ((a))Op, ((a))Dp, or [[a))piUp 2 , for an agent a and 
observable propositions p,p\,p 2 , we dehne a turn-based synchronous ATS S' 
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(with complete information) and a state q' of S' such that {S,P),q ^ ip' iff 
S' ,q' 1= ip' . Let S = {n,I],Q,T:,<T,R), and let U^t be the set of observable 
propositions in p' (then U^i C II a). In order to dehne S' , we need the following 
notations. First, we add to Ila a special proposition pa that indicates if agent a 
is scheduled to proceed; that is, for all states q ^ Q, we have q \= iS cr(q) = a. 
Let iT' = Ila U {pa}- For a set Qi C Q, an agent a ^ S, and an extended a-view 
V C n'a, we dehne the v-successor of Q\ as the set 

Q 2 = {(/2 £ Q I ^ and there exists a state £ Q such that R(qi, 52 )}; 

that is, Q 2 is the set of all states with extended a-view v that are successors of 
some state in Qi. Now, S' = {R^t , {a, h}, Q' , tt', <t' , R') is dehned as follows: 

- Q' C is the smallest set satisfying (1) {<;} G Q' and (2) for all sets Qi E Q' 
and all a- views v C iT' , the n-successor of Q\ is in Q' . Note that for all sets 
Qi £ Q' , if ?i ,?2 £ Q 2 , then q\ and q 2 have the same a-view, and either 
agent a is scheduled to proceed in both qi and q 2 , 01 a is not scheduled to 
proceed in both q\ and q 2 - Hence, each state in Q' corresponds to a set of 
states in Q that are indistinguishable by the agent a. 

— For all sets Qi E Q' , if T^ail) = v for any and all q E Qi, then PlQi) = v. 

— For all sets Qi E Q' , if o'iq) = a for any and all q E Qi, then cr'(Qi) = a; 
otherwise, o-'(<5i) = b. 

- For all sets Qi, Q 2 £ Q' , we have i?'(Qi, Q 2 ) iff Ra{Tr'{Qi), Tr'iQ'j))- 

It is easy to prove that for each of the three types of p' we have (S', P),q \= p' 
iff S' , {(/} ^ p' . Since the size of S' is exponential in the size of S, membership 
in EXPTIME follows from Theorem 2. 

For the lower bound, we observe that the model-checking problem for the 
ATL formula ((a)) Op on a turn-based synchronous ATS with the two agents a 
and h and incomplete information is identical to the outcome problem for two- 
player games with incomplete information. The latter problem is known to be 
EXPTIME-hard [Rei84]. □ 

8 Conclusions 

Methods for reasoning about closed systems are, in general, not applicable 
for reasoning about open systems. The verihcation problem for open systems, 
more than it corresponds to the model-checking problem for temporal logics, 
corresponds, in the case of linear time, to the reaUzabiUty problem [ALW89, 
PR89a, PR89b], and in the case of branching time, to the module- checking prob- 
lem [KV96]; that is, to a search for winning strategies. Indeed, existing methods 
for the verihcation of open systems could not circumvent the computational price 
caused by solving inhnite games. The logic ATL introduced here identihes a class 
of verihcation problems for open systems for which it suffices to solve iterated 
hnite games. The ensuing linear model-checking complexity for ATL shows that 
despite the pessimistic results achieved in this area area so far, there is still a 
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great deal of interesting reasoning about open systems that can be performed 
naturally and efficiently. 

While closed systems are naturally modeled as labeled transition systems 
(Kripke structures), we model open systems as alternating transition systems. 
In the case of closed systems, ATL degenerates to CTL, Fair-ATL to Fair- 
CTL [CES86], and ATL* to CTL*. Our model-checking complexity results are 
summarized in Table 1. All complexities in the table denote tight bounds, where 
m is the size of the system and £ is the length of the formula. 





Closed System 


Open System 


ATL joint complexity 


PTIME 

[CES86] 


PTIME 

0(mi) 


ATL structure complexity 


NLOGSPACE 

[BVW94] 


PTIME 


Fair-ATL joint complexity 


PTIME 

[CES86] 


PTIME 


Fair-ATL structure complexity 


NLOGSPACE 

[KV95] 


PTIME 


ATL* joint complexity 


PSPACE 

[CES86] 


2EXPTIME 

20(1) 

m 


ATL* sstructure complexity 


NLOGSPACE 

[BVW94] 


PTIME 



Table 1. Model-checking complexity results 
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Abstract. Modularity is advocated as a solution for the design of large 
systems, the mathematical translation of this concept is often that of 
compositionality. This paper is devoted the issues of compositionality 
aiming at modular code generation, for dataflow synchronous languages. 
As careless storing of object code for further reuse in systems design fails 
to work, we first concentrate on what are the additional features needed 
to abstract programs for the purpose of code generation: we show that 
a central notion is that of scheduling specification as resulting from a 
causality analysis of the given program. Then we study separate compi- 
lation for synchronous programs, and we discuss the issue of distributed 
implementation using an asynchronous medium of communication ; for 
both topics we provide a complete formal study in the extended version 
[B1GA97] of this paper. Corresponding algorithms are currently under de- 
velopment in the framework of the DC+ common format for synchronous 
languages. 

Keywords : synchronous languages, modularity, code generation, sepa- 
rate compilation, desynchronisation. 



1 Motivations 

Modularity is advocated as the ultimate solution for the design of large systems, 
and this holds in particular for embedded systems, and their software and ar- 
chitecture. Modularity allows the designer to scale down design problems, and 
facilitate reuse of predefined modules. 

The mathematical translation of the concept of modularity is often that of 
compositionality. Paying attention to the composition of specifications [MP92] is 
central to any system model involving concurrency or parallelism. More recently, 
significant effort has been devoted toward introducing compositionality in ver- 
ification with aiming at deriving proofs of large programs from partial proofs 
involving (abstractions of) components [MP95]. 

* This work is or has been supported in part by the following projects : Eureka- 
SYNCHRON, Esprit R&D -S ACRES (Esprit project EP 20897), Esprit LTR-SYRF 
(Esprit project EP 22703). In addition to the listed authors, the following people 
have indirectly, but strongly, contributed to this work : the STS formalism has been 
shamelessly borrowed from Amir Pnueli, and the background on labelled partial 
orders is mostly ackowledged to Paul Caspi. 

W.-P. de Roever, H. Langmaack, and A. Pnueli (Eds.): COMPOS’97, LNCS 1536, pp. 61-80, 1998. 
Springer-Verlag Berlin Heidelberg 1998 
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Compilation and code generation has been given less attention from the same 
point of view, however. This is unfortunate, as it is critical for the designer to 
scale down the design of large systems by 1/ storing modules like black-box 
“procedures” or “processes” with minimal interface description, and 2/ gener- 
ating code only using these interface descriptions, while still guaranteing that 
final encapsulation of actual code within these black-boxes together with their 
composition, will maintain correctness of the design w.r.t. specification. 

This paper is devoted the issues of compositionality aiming at modular code 
generation, for datafiow synchronous languages. As datafiow synchronous is 
rather a paradigm more than a few concrete languages or visual formalisms 
[BB91], it was desirable to abstract from such and such particular language. 
Thus we have chosen to work with a formalism proposed by Amir Pnueli, that 
of Symbolic Transition Systems (STS [Pnu97]), which is at the same time very 
lightweight, and fully general to capture the essence of synchronous paradigm. 

Using this formalism, we study composition of specifications, a very trivial 
topic indeed. Most of our effort is then devoted to issues of compositionality that 
are critical to code generation. As careless storing of object code for further reuse 
in systems design fails to work, we first concentrate on what are the additional 
features needed to abstract programs for the purpose of code generation : we 
show that a central notion is that of scheduling specification as resulting from 
a causality analysis of the given program. Related issues of compositionality are 
investigated. Then we show that there is some appropriate level of “intermediate 
code”, which at the same time allows us to scale down code generation for 
large systems, and still maintains correctness at the system integration phase. 
Finally we discuss the issue of distributed implementation using an asynchronous 
medium of communication. 

Besides this, let us mention that Amir Pnueli & coworkers [Pnu97] have 
introduced a more elaborated version of our STS formalism, for the purpose of 
investigating issues of compositionality in proofs involving liveness properties. 

This work was initiated within the context of the Signal synchronous lan- 
guage by P. Le Guernic and its students B. Le Goff, 0. Maffeis [MLG94], and 
P. Aubry [Aub97] who finally implemented these ideas. 



2 The essentials of the synchronous paradigm 

There has been several attempts to characterize the essentials of the synchronous 
paradigm [BB91] [Halb93]. With some experience and after attempts to address 
the issue of moving from synchrony to asynchrony (and back), we feel the fol- 
lowing features are indeed essential for characterizing this paradigm : 

1. Programs progress via an infinite sequence of reactions : 



P = 
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where R denotes the family of possible reactions^ . 

2. Within a reaction, decisions can be taken on the basis of the absence of 
some events, as exemplified by the following typical statements, taken from 
Esterel, Lustre, and Signal respectively : 

present S else ‘stat’ 
y = current x 
y : = u default v 

The first statement is selfexplanatory. The “current” operator delivers the 
most recent value of x at the clock of the considered node, it thus has to 
test for absence of x before producing y. The “default” operator delivers 
its first argument when it is present, and otherwise its second argument. 

3. When it is defined, parallel composition is always given by taking the con- 
junction of associated reactions : 

P1IIP2 = (j?iAj? 2 r 

Typically, if specifying is the intention, then the above formula is a perfect 
definition of parallel composition. In contrast, if programming was the inten- 
tion, then the need for this definition to be compatible with an operational 
semantics very much complicates the “when it is defined” prerequisite^. 

Of course, such a characterization of what the synchronous paradigm is makes 
the class of “synchrony-compliant” formalisms much larger than usually con- 
sidered. But it has been our experience that these were the key features for the 
techniques we have developed so far to work. 

Clearly, these remarks call for a common format implementing this paradigm, 
the Dc/Dc_|_ format [DC96] has been proposed with this objective. Also, this 
calls for a simplest possible formalism with the above features, on which funda- 
mental questions should be investigated (the purpose of this basic synchronous 
formalism would not be to allow better specification or programming, however) : 
the STS formalism we describe next has this in its objectives. 

3 Specification : Symbolic Transition Systems (sTs) 
[Pnu97] 

Symbolic Transition Systems (^STS^. We assume a vocabulary V which is a set 
of typed variables. All types are implicitly extended with a special element T to 
be interpreted as “absent” . Some of the types we consider are the type of pure 
signals with domain {t}, and booleans with domain {t, f} (recall both types are 
extended with the distinguished element T). 

^ In fact, “reaction” is a slightly restrictive term, as we shall see in the sequel that “re- 
acting to the environment” is not the only possible kind of interaction a synchronous 
system may have with its environment. 

^ For instance, most of the effort related to the semantics of Esterel has been directed 
toward solving this issue satisfactorily [Ber95]. 
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We define a state s to be a type-consistent interpretation of V, assigning to 
each variable u € V a value s[u] over its domain. We denote by S the set of 
all states. For a subset of variables V C V, we define a V-state to be a type- 
consistent interpretation of V. 

Following [Pnu97]^, we define a Symbolic Transition System (STS) to be a 
system 

$={V,0,p) 

consisting of the following components : 

— V is a finite set of typed variables, 

— 0(V) is an assertion characterizing initial states. 

— p = p{V^ ,V) is the transition relation relating previous and current states 

and s, by referring to both past"^ and current versions of variables 
and V. For example the assertion x = + 1 states that the value of a; in s 

is greater by 1 than its value in . If p{s^\V], s[V]) = T, we say that state 
is a p-predecessor of state s. 

A run a : Sq, Si, S 2 ; • • • is a sequence of states such that 

So [= 0 (sq) Vi ^ 0 , [= (1) 

The composition of two STS ^ /\ ^2 is defined as follows : 



V = ViUV2 
0 = 01 A 02 
P = Pi A P2 , 

the composition is thus the pairwise conjunction of initial and transition rela- 
tions. 

Notations for STS ; we shall use the following generic notations in the sequel : 

— c,v,w,. . . denote STS variables. 

— for V a variable, h„ € {t, T} denotes its clock: 

[hv T] O [n T] 

— for V a variable, denotes its associated state variable, defined by : 

if h„ then = n . . 

else ^ ’ 

® The talented reader will also notice some close relation to the TLA model of L. 
Lamport. 

* Usually, variables and primed variables are used to refer to current and next states. 
This is equivalent to our present notation. We have preferred to consider and s, 
just because the formulae we shall write mostly involve current variables, rather than 
past ones. Using the standard notation would have resulted in a burden of primed 
variables in the formulae. 
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with the convention that So[^tT] = -L) i-S-, is absent before the 1st occur- 
rence of V, and is always present after the 1st occurrence of v. State variable 
is assumed to be local, i.e., is never shared among different STS, and thus 
state variables play no role for STS composition. 

Examples of Transition Relations : 

— a selector : 



Note that the “else” part corresponds to the property “ [& = f] V [b = _L] ” . 
— decrementing a register : 



where is the state variable associated with 2 ; as in (2), and denotes 
its previous value. The more intuitive interpretation of this statement is : 
{vn = Zn -1 “t^l), where index “n” denotes the instants at which both v and 
2 : are present (their clocks are specified to be equal). The specification of a 
register would simply be : 



meaning that the clock of u is the set of instants at which boolean variable 
b is true. 

Putting things together yields the STS : 



if b then z = u else z = v . 



if hz then v = ol else n = T 




Z 



U 



u 



-1 



u 



if b then z = u else z = v 
f\ if hz then v = ol else n = T 
f\ if hy then b = (v <0) else 6 = T 
/\ h„ = hz = h 
A (6 = T) = (K = T) 



time 
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A run of this STS for the 2: variable is depicted on the figure above. Each time u is 
received, 2 is reset and gets the value of u. Then 2 is decremented by one at each 
activation cycle of the STS, until it reaches the value 0 . Immediately after this 
latter instant, a fresh u can be read, and so on. Note the schyzophrenic nature 
of the “inputs” of this STS. While the value carried by u is an input, the instant 
at which u is read is not : reading of the input is on demand-driven mode. This 
is refiected by the fact that inputs of this STS are the pair {activation clock h, 
value of u when it is present}. 

Using these primitives, datafiow synchronous languages such as Lustre 
[Halb93] and Signal [LG91] are easily encoded. 

Open environments and modularity. As modularity is wanted, it is desirable that 
the pace of an STS is local to it rather than global. Since any STS is subject to 
further composition in some yet unknown environment, this makes the require- 
ment of having a global pace quite inconvenient. This is why we prohibit the use 
of eloeks that are always present. This has several consequences. First, it is not 
possible to consider the “complement of a clock” or the “negation of a clock” : 
this would require referring to the always present clock. Thus, as will be revealed 
by our examples, clocks will always be variables, and we shall be able to relate 
clocks only using A (intersection of instants of presence) , V (union of instants of 
presence) , and \ (set difference of instants of presence) . 

Stuttering. In the same vein, it should be permitted, for an STS, to do noth- 
ing while the environment is possibly working. This feature has been yet iden- 
tified in the litterature and is known as stuttering invariance or robustness 
[Lam83a,Lam83b]. It is central to TLA, where it is understood that a transi- 
tion with no event at all and no change of states is always legal. 

For an STS stuttering invariance is defined as follows : if 

cr : So, Sx, S2, . . . 



is a run of so is 

er' : So, ± 0 , . . . , J-o , Si, J-i, . . . , J-i, S 2 , J- 2 , ■ ■ ■ , -I- 2 , . . . , (3) 

' V ' 

0 < #{±o} <00 

where symbol T, denotes a silent state in which all state variables keep the 
value they had at state s,, while other variables take the value T. The number 
of inserted silent states is > 0 but finite. This models that the considered STS 
can do nothing for any arbitrary but finite “duration” . 

Stuttering invariance is not hardwired into our STS formalism, but a quick 
inspection of all the statements we have introduced in our example reveals that 
any composition of them is stuttering invariant. More generally, any STS not 
involving the always present clock (be it directly or indirectly) is stuttering 
invariant. 
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4 Compositional reasoning on causality and scheduling 
specifications 



4.1 What is the problem? 



Basically, the problem is twofold : 1 / bruteforce separate compilation can cause 
deadlocks, and 2/ generating distributed code is generally not compatible with 
maintaining strict compliance with the synchronous model of computation. We 
illustrate briefly these two issues next. 



Naive separate eompilation may be dangereous. This is illustrated in the follow- 
ing picture : 




The first diagram depicts the “dependencies” associated with some STS spec- 
ification : the 1st output needs the 1st input for its computation, and the 2nd 
output needs the 2nd input for its computation. The second diagram shows a 
possible scheduling, corresponding to the standard scheduling: 1/ read inputs, 
2/ compute reaction, 3/ emit outputs. This gives a correct sequential execution 
of the STS. In the third diagram, an additional dependency is enforced by set- 
ting the considered STS in some environment which reacts with no delay to its 
inputs : a deadlock is created. In the last diagram, however, it is revealed that 
this additional dependency caused by the environment indeed was compatible 
with the original specification, and no deadlock resulted from applying it. Here, 
deadlock was caused by the actual implementation of the specification, not by 
the specification itself. 

The traditional answer to this problem by the synchronous programming 
school has been to refuse considering separate compilation : modules for fur- 
ther reuse should be stored as source code, and combined as such before code 
generation. We shah however later see that this does not need to be the case, 
however. 



Desynehronisation. This is illustrated in the following picture : 










68 



A. Benveniste, P. Le Guemic, and P. Aubry 




This figure depicts a communication scenario : two processors, modelled as se- 
quential machines, exchange messages using an asynchronous medium for their 
communications. The natural structure of time is that of a partial order, as de- 
rived from the directed graph composed of 1/ linear time on each processor, 
and 2/ communications. This structure for time does not match the linear time 
corresponding to the infinite sequence of reactions which is the very basis of 
synchronous paradigm. 

The need for reasoning about causality, schedulings, and communications. This 
need emerges from the above discussion. In the next subsection, we shall in- 
troduce a unique framework to handle these diverse aspects : the formalism of 
scheduling specifications. 

4.2 Scheduling specifications 

Preorders and partial orders to model causality relations, schedulings, 
and communications. Causality relations have been investigated for several 
years in the past in the area of models of distributed systems and computations. 
The classical approach considers a classical automaton, in which concurrency is 
modelled via an “independence” equivalence relation among the labels of the 
transitions. Since independence is generally not a symmetric relation (actions 
of writing and reading are not symmetric), the theory of traces [AR88] has 
been extended to so-called “semi-commutations” [CL87], and this technique has 
been recently applied to the implementation of reactive automata on distributed 
architectures [CCGJ97]. Causality preorder relations have also been used in a 
different way in [BCH1G94], from which we borrow the essentials of the present 
technique. In addition to modelling causality relations, preorders can be used 
to specify scheduling requirements, they can also be used to model send/receive 
type of communications. 

We consider a set V of variables. A preorder on the set G is a relation (gener- 
ically denoted by which is reffexive (x -< x) and transitive {x <y and y ^ z 
imply a; ^ 2 ;). To ^ we associate the equivalence relation x, defined by a; x y iff 
X < y and y < x. \{ equivalence classes of x are singletons, then ^ is a partial 
order. 

The conjunction of two preorders is the minimal preorder which is an exten- 
sion of the two considered conjuncts. 
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STS with scheduling specifications. Now we consider STS $ = (V, 0,p) as 
before, but with the following additional feature : as part of 

— 0{V) (relation defining initial states), and 

— p(V^ ,V) (transition relation), 

we have preorders denoted by 

X <y for x,y £V , 

specified via (possibly eyelie) directed graphs: 

X ^ y for x,y gV . 

STS involving such type of preorder relation shall be called in the sequel STS with 
seheduling speeifieations . As preorders are just like any other relation, STS with 
scheduling specifications are just like any other STS, hence they inherit their 
properties, in particular they ean be eomposed. 

Notations for seheduling speeifieations : for 6 a variable of type boolU {-L}, and 
u,v variables of any type, 

if b then u > v , resp. if b else u ■> v 

is denoted by 

b b 

u -> V resp. u 



Note the following : 

~^b b 

u > V ^ u > V !!! 

' V ' ' V ' 

6=false 6=false V 6=_L 

In the extended version [B1GA97], Appendix A, it is shown that scheduling 
specifications have the following properties : 

6 . c bAc 

X ■> y /\ y ■> z ^ X ■> 2 : (4) 



y A 



-> y 



by c 



-> y 



( 5 ) 



Properties (4,5) can be used to compute input/output abstractions of scheduling 
specifications : 




In this figure, the diagram on the left depicts a scheduling specification involving 
local variables. These are hidden in the diagram on the right, using rules (4,5). 
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Inferring scheduling specifications from causality analysis. The idea 
supporting causality analysis of an STS specification is quite simple. On the 
one hand, a transition relation involving only the types “pure” and “boolean” 
can be solved by unification and thus made executable. On the other hand, 
a transition relation involving arbitrary types is abstracted as term rewriting, 
encoded via directed graphs. For instance, relation y = 2uv‘^ (involving, say, 

real types) is abstracted as (u,v) ■> y, since y can be substituted by 

expression 2uv‘^. On the other hand, the relation w + uv^ > 0 (again involving 
real types) is abstracted as the full directed graph with vertices (u,v,w), as no 
term rewriting is possible. A difficulty arises from the hybrid nature of general 
STS, in which boolean variables can be computed from the evaluation of non- 
boolean expressions (e.g., b = {x >0)), and then used as a control variable. 

We now provide a technique for inferring schedulings from causality analysis 
for STS specified as conjunctions of the particular set of primitive statements we 
have introduced so far. In formulm (6), each primitive statement has a scheduling 
specification associated with it, given on the corresponding right hand side of 
the table. Given an STS specified as the conjunction of a set of such statements, 
for each conjunct we add the corresponding scheduling specification to the con- 
sidered STS. Since, in turn, scheduling specifications themselves have scheduling 
specifications associated with them, this mechanism of adding scheduling specifi- 
cations must be applied until fixpoint is reached. Note that applying these rules 
until fixpoint is reached takes at most two successive passes. In formulm (6), 
labels of schedulings are expressions involving variables in the domain {T, F, t} 
ordered by {T < F < t} ; with this in mind, expressions involving the symbols 
“A” (min) and “V” (max) have a clear meaning. 



(R-1) 



Vu h„ 



-> u 



(R-2) 



if b then w = u 
else w = V 



b ^ — >h, 

K ^ ^ > h^ 

K — 



u .> uj 



V —kAJu .> ^ 



(6) 



(R-3) 

(R-4) 



u — > w ^ b 

w = f(ui,...,Uk)\ 

h^=K, = ... = KJ^ 



> h^i 



-> w 
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Rules (R-1,. . . ,R-4), as well as the theorem to follow, are formally justified 
in [B1GA97], Appendix A, where a precise definition of “deterministic” is also 
given. 

Theorem 1 (executable STS). For P an STS, 

1. Apply Rules (R-1,. . . ,R-4) until fixpoint is reached: this yields an STS we 
call sched(P). 

2. A sufficient condition for P to have a unique deterministic run is : 

(a) sched(P) is provably circuitfree at each instant, meaning that it is never 
true that 



Xi > X2 > Xi 

and 

(6i A 62 = t) 



unless Xi = X 2 holds. 

(b) sched(P) has provably no multiple definition of variables at any instant, 
meaning that, whenever 



if hi then x = expj 
A if 62 then x = expj 

holds in P and the expj and expj are different expressions, then 



61 A 62 = T 



never holds in P. 

Then P is said to be executable, and sched(P) provides (dynamic) scheduling 
specifications for this run. 



Examples. We show here some STS statements and their associated scheduling 
as derived from causality analysis. In the following figures, vertices in boldface 
denote input clocks, vertices in bold-italic denote input data, and vertices in 
courier denote other variables. It is of interest to split between these two different 
types of inputs, as input reading for an STS can occur with any combination of 
data- and demand-driven mode. Note that, for each vertex of the graph, the 
labels sitting on the incoming branches are evaluated prior to the considered 
vertex. Thus, when this vertex is to be evaluated, it is already known which 
other variables are needed for its evaluation. See the appendix for a formal 
support of this claim. 



A data-driven statement: 
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b 



(input dock) 
(input data) 

(other) 




if b then z = u else z = v 




^ 



u 



hzA b 



z 



hzA b 



V 



In the above example, input data are pairwise associated with corresponding 
input clocks : this STS reads its inputs on a purely data-driven mode, input pat- 
terns {u, V, b) are free to be present or absent, and, when they are present, their 
value is free also. We call it a “reactive” STS. 



Decrementing a register: 



Z 



h 



local 



z 



if hz then v = of else n = _L 




The full example : 



U 



U 



-1 



u 



if b then z = u else z = v 
/\ if hz then v = of else n = _L 

f\ if hy then b = (v <0) else 6 = _L 
!\h^=hz=hb 



!\ it'v = ii-z = 

A (6 = T) = (hu = T) 



time 



Applying the rules (R-1,. . . ,R-4) for inferring schedulings from causality, we get : 
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if b then z = u else z = v 
/\ if hz then v = ol else v = 1. 
f\ if /i„ then b = {v <0) else b = ± 

/\ hy = hz = hi, =def h 
A (& = T) = (hu = T) 



Note the change in control : { input clock, input data} habe been drastically 
modified from the “ if b then z = u else 2 = n” statement to the complete 
STS : inputs now consist of the pair {h,Vu}, where refers to the value carried 
by u when present. Reading of the u occurs on demand, when condition b is true. 
Thus we call such an STS “proactive” . 



Summary. What do we get at this stage ? 

1. STS composition is just the conjunction of constraints. 

2. Since preorders are just relations, scheduling specifications do compose as 
well. 

3. As causality analysis is based on an abstraction, the rules (R-l,...,R-4) for 
inferring scheduling from causality are bound to the syntax of the STS con- 
juncts. 

4. Hence, in order to maximize the chance of effectively recognizing that an STS 
P is executable, P is generally rewritten in a different but semantically equiv- 
alent syntax (runs remain the same) while causality analysis is performed®. 
But this latter operation is global and not compositional : here we reach the 
limits of bruteforce compositionality. 

5 Modular and distributed code generation 

Two major issues need to be considered : 

1. Relaxing synchrony is needed if distribution over possibly asynchronous me- 
dia is desired without paying the price for maintaining the strong synchrony 
hypothesis via costly protocols. 

2. Designing modules equipped with proper interfaces for subsequent reuse, and 
generating a correct scheduling and communication protocol for these mod- 
ules, is the key to modularity. 

We consider these two issues next. 

This is part of the job performed by the Signal compiler’s “clock calculus”. 



6 
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5.1 Relaxing synchrony 



The major problem is that of testing for absence in an asynchronous environ- 
ment ! This is illustrated in the following picture in which the information of 
“which are the variables present in the considered instant” is lost when passing 
from left to right hand side, since explicit definition of the “instant” is not avail- 
able any more : 

test for 9 

absence a'\ 

— • — - o • - • • 

1 I 

^ ^ ^ 

t t 

^ ^ ^ ^ 

synchrony asynchrony 

The questionmark indicates that it is generally not possible, in an asynchronous 
environment, to decide upon presence/absence of a signal relatively to another 
one. The major problem is that of “testing for absence” as being part of the con- 
trol. While this is perfectly sound in a synchronous paradigm, this is meaningless 
in an asynchronous one. 

The solution consists in restricting ourselves to so-called endochronous STS. 
Endochronous STS are those for which the control depends only on 1/ the previ- 
ous state, and 2/ the values possibily carried by environment signals, but not on 
the presence/absence status of these signals. An endochronous STS can work as a 
(synchronous) module working in a distributed execution using an asynchronous 
communication medium, provided that this medium satisfies the two require- 
ments of 1/ not loosing messages, and 2/ not changing the order of messages. 

An example of an STS which is “exochronous” (i.e., not endochronous) is the 
“reactive” STS given on the left hand side of the following picture, whereas the 
“proactive” STS shown on the right hand side is an endochronous STS : 




In the diagram on the left hand side, three different clocks are source nodes 
of the directed graph. This means that the primary decision in executing a re- 
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action consists in deciding upon relative presence/absence of these clocks. In 
contrast, in the diagram on the right hand side, only one clock, the activation 
clock h, is a source node of the graph. Hence no test for relative presence/absence 
is needed, and the control only depends on the value of the boolean variable b, 
which is computed internally. 

How endochrony allows us to desynchronize an STS is illustrated in an intu- 
itive way on the following diagram, which depicts the scheduling specification 
associated with the (endochronous) pseudo-statement 

“ if b then getju” : 




In the left diagram, a history of this statement is depicted, showing the suc- 
cessive instants (or reactions) separated by thick dashed lines. In the middle, 
an instant has been twisted, and in the last one, thick dashed lines have been 
removed. Clearly, no information has been lost : we know that u should be got 
exactly when 6 = T, and thus it is only needed to wait for b in order to know 
whether u is to be waited for also. A formal study of desynchronization and 
endochrony is presented in [B1GA97], Appendix B. 

Moving from exochronous to endochronous is easily performed, we only show 
one typical but simple example : 



(input clock) 


/ 


\ 


(input data) 


b 


b’ 


(other) 






k 


k’ 


k 


k' 


\ 


/ 


\ 


/ 



The idea is to add to the considered STS a monitor which delivers the informa- 
tion of presence/absence via the b, b' boolean variables with identical clock h, i.e., 
{fc = t} = {6 = t}, and similarly for k' ,b' . The resulting STS is endochronous, 
since boolean variables b, b' are scrutinized at the pace of activation clock h. 
Other schemes are also possible. 



5.2 Generating scheduling for separate modules 

Relevant target architectures for embedded applications typically are 1/ purely 
sequential code (such as C-code) , 2 / code using a threading or tasking mechanism 
provided by some kind of a real-time OS (here the threading mechanism offers 
some degree of concurrency), or 3/ DSP-type multiprocessor architectures with 
associated communication media. 

On the other hand, the scheduling specifications we derive from rules (R- 
l,...,R-4) of causality analysis still exhibit maximum concurrency. Actual imple- 
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mentations will have to conform to these scheduling specifications. In general, 
they will exhibit less (and even sometimes no) concurrency, meaning that further 
sequentialization has been performed to generate code. 

Of course, this additional sequentialization can be the source of potential, 
otherwise unjustified, deadlock when the considered module is reused in the 
form of object code in some environment, this was illustrated in subsection 4.1. 
The traditional answer to this problem by the synchronous programming school 
has been to refuse considering separate compilation : modules for further reuse 
should be stored as source code, and combined as such before code generation. 

We shall however see that this does not need to be the case, however. Instead, 
a careful use of the scheduling specifications of an STS will allow us to decompose 
it into modules that can be stored as object code for further reuse, whatever the 
actual environment and implementation architecture will be. 



The case of single- clocked STS. We first discuss the case of single-clocked STS, in 
which all variables have the same clock. The issue is illustrated in the following 
picture, in which the directed graph defining the circuitfree scheduling specifi- 
cation of some single-clocked STS is depicted : 



In the above picture, the gray zones group all variables which depend on the 
same subset of inputs, let us call them “tasks”. Tasks are not subject to the 
risk of creating fake deadlocks from implementation. In fact, as all variables be- 
longing to the same task depend on the same inputs, each task can be executed 
according to the following scheme: 1/ collect inputs, 2/ execute task. The ac- 
tual way the task is executed is arbitrary, provided it conforms the scheduling 
specification. 

In the next picture, we show how the actual implementation will be prepared : 




• input clock 

• input data 
O other 



they ail depend on the same inputs 
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task activation 
or RPC, 
or... 



-o 



biack-box tasks, 
they can be preempted! 




sequential code, 
or procedure cali, 
or... 



The thick arrows inside the task depicted on the bottom show one possible 
fully sequential scheduling of this task. Then, what should be really stored as 
source code for further reuse is only the abstraction consisting of the task viewed 
as black-boxes, together with their associated interface scheduling specifications. 

In particular, if the supporting execution architecture involves a real-time 
tasking system implementing some preemption mechanism in order to dynami- 
cally optimize scheduling for best response time, tasks can be freely suspended/resumed 
by the real-time kernel, without impairing conformity of the object code to its 
specification. 



The general case of multiple- clocked STS. The generalization is illustrated in the 
following picture : 




clock-dependent 
task activation, 
or RPC, 
or... 



The only new point is that all items discussed before are now clock-dependent. 
Thus the computations of the “tasks” , their internal scheduling, and their ab- 
straction, must be performed using scheduling specifications labelled by booleans. 
In the above example, the considered STS is activated by some clock h, which in 
turns defines the activation clock k of the depicted task. The bottom line is : 

1. Different tasks can have different activation clocks. 

2. For each task, the internal scheduling generally depends on some internal 
clocks, i.e., on some predicates involving internal states of the task. Thus the 
internal scheduling is dynamic, but can be precomputed at compile time. 

3. Also, the task abstraction has a clock-dependent scheduling speciffcation. 
This is another source of dynamic scheduling, also computed at compile time : 
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it is implemented in the form of a “software monitor” which opens/forbids 
the possibility of executing a given task at a given instant, depending on the 
current status of the STS clocks. 

4. This software monitor can be combined with the interruption mechanism of 
the supporting real-time kernel intended to optimize response time of the 
execution, without impairing conformity of the object code to its specifica- 
tion. 

5.3 The bottom line: modular and distributed code generation 

The whole approach is summarized in the following diagram : 




original module monitor: exo2endo + scheduling 

all items are clock-dependent !! 

In this diagram, gray rectangles denote three modules Pi,P2,P3 of the source 
STS specification, hence given by P = Pi A P2 A P3. We assume here that this par- 
titioning has been given by the designer, based on functional and architectural 
considerations. Note that the idempotence of STS composition (Q A Q = Q) allows 
us to duplicate source code at convenience while partitioning the specification. 

Then, white bubbles inside the gray rectangles depict the structuration into 
tasks as discussed before. 

Finally the black half-ellipses denote the monitors. Monitors are in charge of 
1 / providing the additional control to make the considered module endochronous 
if asynchronous communication media are to be used, and 2/ specifying the 
scheduling of the abstract tasks. 

In principle, communication media and real-time kernels do not need to be 
specified here, as they can be used freely provided they respect the send-receive 
abstract communication model and conform to the scheduling constraints set by 
the monitors. 
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6 Conclusion 

The above approach is supported by the Dc_|_ common format for synchronous 
languages [DC96]. The Dc_|_ format is one possible concrete implementation 
of our STS model, including scheduling specifications. It serves as a basis for 
the code generation suite in the Esprit Sacres project. S. Machard and E. 
Rutten are currently working on generic code generation based on this work, 
with different real-time O.S. and architectures as targets. 
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Abstract. The main problem in model checking that prevents it from 
being used for verihcation of large systems is the state explosion problem. 
This problem often arises from combining parallel processes together. 
Many techniques have been proposed to overcome this diflfculty and, 
thus, increase the size of the systems that model checkers can handle. We 
describe several compositional model checking techniques used in practice 
and show a few examples demonstrating their performance. 



1 Introduction 

Symbolic model checking is a very successful method for verifying complex finite- 
state reactive systems [7]. It models a computer system as a state-transition 
graph. Efficient algorithms are used to traverse this graph and determine whether 
various properties are satisfied by the model. By using BDDs [5] it is possible to 
verify extremely large systems having as many as states. Several systems 

of industrial complexity have been verified using this technique. These systems 
include parts of the Euturebus-f standard [12,19], the PCI local bus [10,20], a 
robotics systems [8] and an aircraft controller [9]. 

In spite of such success, symbolic model checking has its limitations. In some 
cases the BDD representation can be exponential in the size of system descrip- 
tion. This behavior is called the state explosion problem. The primary cause of 
this problem is parallel composition of interacting processes. The problem occurs 
because the number of states in the global model is exponential in the number 
of component processes. Explicit state verifiers suffer from the state explosion 
problem more severely than symbolic verifiers. However, the problem afflicts 
symbolic verification systems as well, preventing them from being applied to 
larger and more complex examples. 

The state explosion can be alleviated using special techniques such as compo- 
sitional reasoning. This method verifies each component of the system in isola- 
tion and allows global properties to be inferred about the entire system. Efficient 
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No. CCR-9505472, and the Defense Advanced Research Projects Agency (DARPA) 
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algorithms for compositional verification can extend the applicability of formal 
verihcation methods to much larger and more interesting examples. In this paper 
we describe several approaches to compositional reasoning. Some are automatic 
and are almost completely transparent to the user. Others require more user 
intervention but can achieve better results. Each is well suited for some applica- 
tions while not so efhcient for others. 

For example, partitioned transition relations [6] and lazy parallel composition 
[11,27] are automatic and, therefore, preferred in cases where user intervention 
is not desired (for example, when the user is not an expert). These techniques 
provide a way to compute the set of successors (or predecessors) of a state set 
without constructing the transition relation of the global system. Both use the 
transition relations of each component separately during traversal of the state 
graph. The individual results are combined later to give the set of states in the 
global graph that corresponds to the result of the operation being performed. 

Another automatic technique is based on the use of interface processes. This 
technique attempts to minimize the global state transition graph by focusing on 
the communication among the component processes. The method considers the 
set of variables used in the interface between two components and minimizes the 
system by eliminating events that do not relate to the communication variables. 
In this way, properties that refer to the interface variables are preserved, but the 
model becomes smaller. 

Assume- guarantee reasoning [17] is a manual technique that verihes each 
component separately. The behavior of each component depends on the behavior 
of the rest of the system, i.e., its environment. Because of this, the user must 
specify properties that the environment has to satisfy in order to guarantee the 
correctness of the component. These properties are assumed. If these assumptions 
are satished, the component will satisfy other properties, called guarantees. By 
combining the set of assume/guarantee properties in an appropriate way, it is 
possible to demonstrate the correctness of the entire system without constructing 
the global state graph. 

All of these methods have been used to verify realistic systems. This shows 
that compositional reasoning is an effective method for increasing the applica- 
bility of model checking tools. Furthermore, it is a necessity for verihcation of 
many complex industrial systems. 

The remainder of this paper is organized as follows: Section 2 introduces 
the formal model that we use for hnite-state systems and the kinds of parallel 
composition we consider. Section 3 describes partitioned transition relations, and 
Section 4 discusses lazy parallel composition. Interface processes and assume- 
guarantee reasoning are described in Sections 5 and 6, respectively. Finally, the 
paper concludes in Section 7 with a summary and some directions for future 
research. 
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2 The Model 

Given the description of the system to be verihed, constructing its model involves 
two important steps. The hrst is constructing the model for the individual com- 
ponents. The second is composing these submodels into a global model. We 
start by showing how to represent each component symbolically given its state- 
transition graph. Then we describe the parallel composition algorithm used to 
create the global model. 

2.1 Representing a Single Component 

Representing a state-transition graph symbolically involves determining its set 
of states and deriving the transition relation of the graph that models the com- 
ponent. Consider a system with a set of variables V. For a synchronous circuit, 
the set V is typically the outputs of all the registers in the circuit together with 
the primary inputs. In the case of an asynchronous circuit, V is usually the 
set of all nodes. For a protocol or software system, V is the set of variables in 
the program. A state can be described by giving values to all the variables in 
V. Since the system is hnite-state we can encode all states by boolean vectors. 
Throughout the paper we assume that this encoding has already been done and 
that all variables in V are boolean. Therefore, a state can be described by a 
valuation assigning either 0 or 1 to each variable. Given a valuation, we can also 
write a boolean expression which is true for exactly that valuation. For example, 
given V = {riQ, vi, V'j} and the valuation (vq <— l,vi <— 1, r >2 t— 0), we derive the 
boolean formula r>o A rii A ~<V 2 . This boolean formula can then be represented 
using a BDD. 

In general, however, a boolean formula may be true for many valuations. If 
we adopt the convention that a formula represents the set of all valuations that 
make it true, then we can describe sets of states by boolean formulas and, hence, 
by BDDs. In practice, BDDs are often much more efhcient than representing sets 
of states explicitly. We denote sets of states with the letter S and we denote the 
BDD representing the set S by S{V), where V is the set of variables that the 
BDD may depend on. We also use for arbitrary boolean functions. 

In addition to representing sets of states of a system, we must be able to 
represent the transitions that the system can make. To do this, we extend the 
idea used above. Instead of just representing a set of states using a BDD, we 
represent a set of ordered pairs of states. We cannot do this using just a single 
copy of the state variables, so we create a second set of variables V' . We think of 
the variables in V as current state variables and the variables in V' as next state 
variables. Each variable v in V has a corresponding next state variable in V' , 
which we denote by r>'. A valuation for the variables in V and V' can be viewed 
as an ordered pair of states, and we represent sets of these valuations using 
BDDs as above. We write a formula that is true iff there is a transition from the 
state represented by V to the state represented by V' . For example, if there is a 
transition from state (vq <— 1, vi <— 1, r >2 t— 0) to state (vq <— 1, vi <— 0, r >2 1) 

we write the formula r>o A rii A ~<V 2 A Vq A A v' 2 . The disjunction of all such 
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transitions is the transition relation of the model. If # is a transition relation, 
then we write N[V, V) to denote the BDD that represents it. 



2.2 Parallel Composition 

The technique above shows how to construct the graph that models one compo- 
nent of the system. But usually systems are described by a set of components 
that execute concurrently. For synchronous or asynchronous circuits the com- 
ponents are the smaller circuits that are connected together to construct the 
bigger circuit. For protocols or programs the components are the processes that 
execute in parallel. 

There are two major ways of composing processes or systems: synchronously 
and asynchronously. In synchronous composition all processes execute at the 
same time, one step in one process corresponds to exactly one step in all the other 
processes. In asynchronous composition, on the other hand, only one process 
executes at any point in time. When one process steps all the others remain 
unchanged. The choice of which process steps at any time is nondeterministic. 
There are different algorithms for composing synchronous and asynchronous 
systems. 




Fig. 1. A modulo 8 counter 



Synchronous Systems The method for deriving the transition relation of 
a synchronous system can be illustrated using a small example. Consider the 
circuit of a modulo 8 counter on Fig. 1. Let V = {riQ, vi, V'j} be the set of state 
variables for this circuit, and let V' = {vq, v[, v' 2 } be another copy of the state 
variables. The transitions of the modulo 8 counter are given by 
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v'o = -'Vo 

v'l = © t'l 

v'2 = (vo A Vi) © V2 

The above equations can be used to define the relations 

No{V, V) = (v'o O 
JVi(V,V') = (v'.^voevi) 

NoiV, V') = (v'2 O (t^o A t;i) © V2) 

which describe the constraints each v'^ must satisfy in a legal transition. Each 
constraint can be seen as a separate component, and their composition generates 
the counter. These constraints can be combined by taking their conjunction to 
form the transition relation: 

N(V, V') = No(V, V') A Ni(V, V') A N2(V, V'). 

In the general case of a synchronous system with n components, we let 
{# 0 , • • • , fVn-i} be the set of transition relations for each component. Each tran- 
sition relation Ni determines the values of a subset of variables in V in the next 
state. Analogous to the modulo 8 counter, the conjunction of these relations 
forms the transition relation 

N(V, V) = No(V, V')A---A N„_i(V, V). 

Thus, the transition relation for a synchronous system can be expressed as a 
conjunction of relations. 

Given a BDD for each transition relation Ni, it is possible to compute the 
BDD that represents N. We say that such a transition relation is monoUthtc 
because it is represented by a single BDD. Monolithic transition relations are 
the primary bottleneck for verihcation, because their size can be exponential in 
the number of equations used to dehne it. 



Asynchronous Systems As with synchronous systems, the transition relation 
for an asynchronous system can be expressed as a conjunction of relations. Al- 
ternatively, it can be expressed as a disjunction. To simplify the description of 
how such transition relations are obtained, we assume that all the components of 
the system have exactly one output and have no internal state variables. In this 
case, it is possible to describe completely each component by a function fi(V). 
Given values for the present state variables v, the component drives its output to 
the value specihed by fi(V). Eor some components, such as G-elements and flip- 
flops, the function fi(V) may depend on the current value of the output of the 
component, as well as the inputs. Extending the method to handle components 
with multiple outputs is straightforward. 
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In speed-independent asynchronous systems, there can be an arbitrary de- 
lay between when a transition is enabled and when it actually occurs. We can 
model this by allowing each component to choose nondeterministically whether 
to transition or not. This results in a conjunction of n parts, all of the form 

T,{V,V') = ^ MV)) W [vl ^ V,). 



This model is similar to the synchronous case discussed above, and allows more 
than one variable to transition concurrently. 

Normally, we will use an mterleavmg model for asynchronous composition, 
in which only one variable is allowed to transition at a time. First, we apply the 
distributive law to the conjunction of the Tj ’s, giving a disjunction of 2" terms: 



^T, 

i = l 



V [K<^9\'{V) 



bi, 



\i = l 



where all &j’s are indices over {0, 1} and 




if & = 1 
if & = 0. 



n 

Each of these terms [\ v'- O gi'(V) corresponds to the simultaneous transi- 
i = l 

tioning of some subset of the n variables in the model for which 6, = 1. Second, 
we keep only those terms that correspond to exactly one variable being allowed 
to transition (that is, only those disjuncts for which the vector hi, . . . ,h„ contains 
exactly one 1). This results in a disjunction of the form 



N(V, V) = No(V, y') V • • • V N„_i(V, V), 

where 

N,{V, V) = (v) O MV)) A /\M <>v,). 

iA* 

Notice, that using this method asynchronous systems are composed by dis- 
juncting their components, while synchronous systems are composed by con- 
juncting their components. 



3 Partitioned Transition Relations 

Computing the image or pre-image of a set of states S under a transition relation 
N is the most important operation in model checking. A state t is a successor of 
s under N, if there is a transition from s to t or, in other words, N(s,t) holds. 
The image of a set of states S is the set of all successors of S. If the set S and 
the transition relation N are given by boolean formulas, then the image of S is 
given by the following formula 

3V[S{V) AN{V,V')], 
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where 3V denotes existential quantification over all variables in V . This formula 
dehnes the set of successors in terms of free variables V' . Similarly, a state s is 
a predecessor of a state t under N iff N{s,t) is true. The set of predecessors of 
a state set S is described by the formula 

3V'[S{V) AN{V,V')]. 

Formulas of this type are called relational products. 

While it is possible to implement the relational product with one conjunction 
and a series of existential quantihcations, in practice this would be fairly slow. In 
addition, the OBDD for S{V) A N {V, V) is often much larger than the OBDD 
for the hnal result, and we would like to avoid constructing it if possible. For 
these reasons, we use a special algorithm to compute the OBDD for the relational 
product in one step from the OBDDs for S and N . Figure 2 gives this algorithm 
for two arbitrary OBDDs / and g. 



function RelProd{ f,g: OBDD, E : set of variables) : OBDD 

if f = QVg = Q 

return 0 

else if/=lAg = l 
return 1 

else if (f,g, E, r) is in the result cache 

return r 

else 

let X be the top variable of / 
let y be the top variable of g 
let 2 be the topmost of x and y 
ro := RelProd{f\^^o,g\z^o, E) 
n := RelProd(f\z^i,g\z^i,E) 
if z £ E 

r := Or(ro, ri) 

/*■ OBDD for ro V ri */ 

else 

r := BDDnode[z, ri, ro) 

1*^ OBDD for A ri) V (-<z A ro) 

endif 

insert (f,g, E, r) in the result cache 

return r 
endif 



Fig. 2. Relational product algorithm 



Like many OBDD algorithms, RelProd uses a result cache. In this case, entries 
in the cache are of the form (f,g,E,r), where if is a set of variables that are 
quantihed out and /, g and r are OBDDs. If such an entry is in the cache, it 
means that a previous call to RelProd[f , g , E) returned r as its result. 
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Although the above algorithm works well in practice, it has exponential com- 
plexity in the worst case. Most of the situations where this complexity is observed 
are cases in which the OBDD for the result is exponentially larger than the 
OBDDs for the arguments f{v) and g{v). In such situations, any method of 
computing the relational product must have exponential complexity. 

In the previous section we have described how to construct the global tran- 
sition relation N from the individual transition relations Ni of the component 
processes. However, the size of N can be signihcantly larger than the sum of the 
sizes of all NiS. Our goal is to be able to compute relational products without 
constructing the global transition relation explicitly. 

3.1 Disjunctive Partitioning 

The global transition relation of an asynchronous system may be written as 
the disjunction of the transition relations for the individual components of the 
system. In this case, a relational product will have the form 

3V' [5(H') A (No(V, V')V---V H'))] • 

In practice computing the value of a large formula with many quantihers is usu- 
ally very expensive. Since the existential quantiher distributes over disjunction 
we can shrink the scope of the quantiher to the individual components: 

3V' [5(1/') AAo(H,H')] V---V 

3V' [5(H') AA„_i(H,H')] 

When this technique is used it is possible to compute relational products for 
much larger asynchronous systems. 

3.2 Conjunctive Partitioning 

For synchronous systems, a relational product will have the form 

3V' [5(H') A (No(V, H') A • • • A W_i(H, H'))] . 

Unfortunately, existential quantihcation does not distribute over conjunction, so 
we can not directly apply the same transformation as in the asynchronous case. 
A simple counterexample is 

3a[(a V &) A (^a V c)] ^ 3a[a V &] A 3a[-ia V c] 

since it reduces to: 

[& V c] ^ true. 

Nevertheless, we still can apply partitioning because systems often exhibit 
locality: most W'S depend only on a small number of variables in V and V' . 
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Subformulas can be moved outside of the scope of existential quantification if 
they do not depend on any of the variables being quantihed: 

3a[(a V b) A (b V c)] = 3a[a V b] A (& V c) 

We can optimize the computation of a relational product by using early variable 
elimination for variables in each W'. First, pick an order p for considering the 
partitions in the relational product. Then dehne Di to be the set of variables 
process Pi depends on, and Ei to be a subset of Di consisting of variables that 
no process later in the ordering depends on, i.e., 

n — 1 

Ep{i) = Dpi^i) O Dpi^ky 

k=i-\-l 

We will illustrate this with our example of the modulo 8 counter. 

Nq = (t^Q O depends on Dq = {t;o} 

Ni = {v[ Vo (B vi) depends on Di = {t;o, vi} 

N ’2 = (v'o (vo A vi) © Vo) depends on Do = {t^o, vi,vo} 

If we choose the ordering p = 2, 1,0, then Eo = {vo},Ei = {r’l} and Eq = 

{rio}. We now can transform the relational product to: 

S2(v,r) = 3 

t'eBp(o) [5(nA#,(o)(V^,n] 

So(V, V) = [5i(y, y') A Npy^(V, y')] 



54 ^) = [Sn-i{V,V')ANp^„_y{V,V')]. 

Or putting it all together, 

34(„_1) [. . . 3Vyy [34(0) [S(C) A iV^(o) (C, V')] ANyy (C, 4)] A • • • A N (C, V')] 

Si 

S2 



s„ 

The ordering p has a signihcant impact on how early in the computation state 
variables can be quantihed out. This affects the size of the BDDs constructed 
and the efhciency of the verihcation procedure. Thus, it is important to choose 
p carefully, just as with the BDD variable ordering. For example, a badly chosen 
ordering p = 0, 1, 2 for the same modulo 8 counter yields Eq = {}, = {} and 

Eo = {r’o, vi, Vo}, which results in no optimization at all. 

In practice, we have found it fairly easy to come up with orderings which 
give good results. We search for a good ordering p by using a greedy algorithm 
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to find a good ordering on the variables Vi to be eliminated. For each ordering 
on the variables, there is an obvious ordering on the relations Ni such that when 
this relation ordering is used, the variables can be eliminated in the order given 
by the greedy algorithm. 

The algorithm on hg. 3 gives our basic greedy technique. We start with the 
set of variables V to be eliminated and a collection C of sets where every Di C C 
is the set of variables on which Ni depends. We then eliminate the variables one 
at a time by always choosing the variable with the least cost and then updating 
V and C appropriately. 

while (V / (f>) do 

begin 

For each v E V compute the cost of eliminating v, 

Eliminate variable with lowest cost by updating C and V ; 

end; 



Fig. 3. Algorithm for variable elimination. 



All that remains is to determine the cost metric to use. We will consider 
three different cost measures. To simplify our discussion, we will use Ny to refer 
to the relation created when eliminating variable v by taking the conjunction of 
all the Ni that depend on v and then quantifying out v. We will use Dy to refer 
to the set of variables on which this Ny depends. 

minimum size The cost of eliminating a variable v is simply \Dy\. With this 
cost function, we always try to insure that the new relation we create depends 
on the fewest number of variables, 
minimum increase The cost of eliminating variable v is 

\Dy I O max Ml + 1 
Aec.veA 

which is the difference between the size of Dy and the size of the largest Di 
containing v. The idea is that if we have a lot of small relations that all share 
one variable, then we do not want to eliminate that variable, since this may 
result in a big Ny. But this is what the previous heuristic would suggest. 
Instead, the minimum increase cost will favor eliminating variables that are 
shared by a small number of relations, thus, keeping the resulting relation 
smaller. In other words, we prefer to make a small increase in the size of an 
already large relation than to create a new large relation, 
miuimum sum The cost of eliminating variable v is 

E Ml 

A£C,v£A 

which is simply the sum of the sizes of all the Di containing v. Since the cost 
of conjunction depends on the sizes of the arguments, we approximate this 
cost by the number of variables on which each of the argument Ni depends. 
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The overall goal is to minimize the size of the largest BDD created during 
the elimination process. In our abstraction, this translates to hnding an ordering 
that minimizes the size of the largest set Dy created during the process. Always 
making a locally optimal choice does not guarantee an optimal solution and there 
are counterexamples for each of the three cost functions. In fact, the problem 
of hnding an optimal ordering can be shown to be NP-complete. However, the 
minimum sum cost function seems to provide the best approximation of the cost 
of the actual BDD operations and in practice has the best performance on most 
examples. 



4 Lazy Parallel Composition 



Lazy parallel composition is an alternative method for compositional reasoning 
that can be related to partitioned transition relations. As in the case of the par- 
titioned transition relations, the global transition relation is never constructed. 
However, in contrast to the previous method, a restricted transition relation for 
all processes is created. The restricted transition relation agrees with the global 
transition relation for ‘important’ states, but it may behave in a different way 
for other states. The advantage comes from the fact that in many cases it is 
possible to construct a restricted transition relation that is signihcantly smaller 
than the global transition relation. 

There are many possible ways of constructing a restricted transition relation 
that would produce correct results. Given an original global transition relation 
N and a state set S, the computation of the set of successors of S can use any 
restricted transition relation N' that satishes the following condition: 

N'\s = N\s 



The formula above means that N and N' agree on transitions that start from 
states in S. It is possible to represent N' with signihcantly fewer nodes than 
N in some cases by using the constrain operator from [14,27]. For two boolean 
formulas / and ^, /' = constrain{ f, g) is a formula that has the same truth value 
as / for variable assignments that satisfy g. If the variable assignment does not 
satisfy g, the value of /' can be arbitrary. In other words: 



/'(*) 



fix) iig{x) 

don’t care otherwise 



In many cases the size of /' is signihcantly smaller than the size of /. 

The lazy composition algorithm uses the constrain operator to simplify the 
transition relation of each process before generating the global restricted transi- 
tion relation. When computing the set of successors of a state set S (represented 
by a boolean formula) the algorithm computes 

N' = yy constrain{Ni, S). 

i = 0..n 
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Each transition = constrain[Ni, S) agrees with Ni on transitions that 
start in S by the dehnition of the constrain operator. As a consequence, the 
transition relation N' agrees with the global transition relation N on transitions 
that start in S as well. Therefore, computing the set of successors of S using N' 
produces the same result as using N . The same method can be applied when 
computing the set of predecessors of a state set S. Only in this case the constrain 
operator has to maintain those transitions in N that end in S. 



4.1 Partitioning vs. Lazy Composition 

Lazy parallel composition is less sensitive to the order in which variables are 
eliminated than partitioned transition relations. This is because step i in the 
partitioned transition relation depends on step i Ol, as shown below 

3vi [3t;o [5'( V^') A No(V, V')] ANi(V, V')] . 

stepl 

step2 



As a consequence, the hnal degree of partitioning heavily depends on the order 
in which we quantify the variables out. We have already seen an example of such 
dependency in section 3.2. 

The lazy parallel composition, on the other hand, processes each component 
independently, and thus, does not depend on the order in which the constrain 
operators are applied: 

3V' [5(E') A ( Ni(V,V') \s A N2iV,V') P )] • 

stepl step2 



We have implemented the lazy composition algorithm and obtained signif- 
icant gains in both space and time. The verihcation of one example took 18 
seconds and 1 MB of memory when lazy composition was used. The same ex- 
ample took about the same amount of time but twice as much memory when 
partitioned transition relations were used. If neither method was used, verihca- 
tion required more than 40 seconds and 12 MB. A signihcant part of the savings 
in both methods results from not constructing the global transition relation. 
However, lazy parallel composition often requires much less memory. The reason 
seems to be that partitioned transition relations are heavily inhuenced by the 
order in which partitions are processed, because this order determines which 
variables can or cannot be quantihed out early. In lazy parallel composition this 
does not happen, since all of the variables are quantihed out at the same time. 
This makes it less susceptible to the order in which partitions are processed, and 
more suitable to be used in the cases in which determining the processing order 
can be difficult. It also makes the new technique easier to automate. 
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5 Interface Processes 

An important observation leads to another approach to compositional verih- 
cation. The state explosion problem is usually most severe for loosely coupled 
processes which communicate using a small number of shared variables. 



5.1 Cone of Influence Reduction 

Suppose we are given a set of variables cr that we are interested in with respect 
to the process P. We can simplify the process P using the cone of mfluence 
reduction. Assume that the system is specihed by a set of equations: 

v- = U{V). 

Dehne the cone of influence Ci of Vi for each variable Vi as the minimal set of 
variables such that 



Vi C Ci , 

— if for some vi C Ci its fi depends on Vj , then Vj C C'i . 

Construct a new (reduced) process P' from P by removing all the equations 
whose left hand side variables do not appear in any of the Cfs for Vi C cr. It can 
be easily shown that P \= cp iS P' \= cp, whenever p contains only variables from 

cr. 

Again, consider our example of the modulo 8 counter (hg. 1 ). Its set of 
equations is 

v'o = -'Vo 

v'l = © t'l 

v'2 = (vo A Vi) © V2 

Clearly, Co = since /o does not depend on any variable other than vo- 

We have Ci = {cq, c’i}, since fi depends on both of the variables, but V2 C\ 
because no variable in Ci depends on V2- And Co is the set of all the variables. 




PI and P2 
communicate 
using these 
variables 

Assume two processes Pi and P2 communicate using a set of variables cr. 
Then Pi can only observe the behavior of P2 through cr. It means that we can 
replace P2 by any equivalent process A2 which is indistinguishable from P2 with 
respect to cr and this will completely preserve the behavior of Pi. The idea is to 
hud a smaller process A2 that hides all events irrelevant to cr. 
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The following interface rule guarantees the correctness of the abstraction A2 
with respect to Pi. Let P\a be the restriction of P to the cone of influence of 
variables in cr, and C{(t) be the set of all CTL formulas with free variables from 
(T. The interface rule states that if the following conditions are satished: 

^ -P2 |(7 = ^2, 

- -Pi 11^2 1= 

- is a CTL formula such that Lp C T(c), 

then Lp is also true in _Pi||_P2- In fact, it is sufhcient for p to be in £(L 7 pj) for 
this rule to be sound, where is the set of variables of Pi. 

In the remainder of this section we describe how this strategy can be made 
precise and show how it can be used to reduce the state explosion problem for 
loosely coupled processes. 

5.2 Soundness of the interface rule 

In order for the interface rule to be sound we need to specify some properties 
that the process equivalence ‘=’ has to satisfy. For a process P let Up be the set 
of atomic propositions (or state variables) in P, and let C{S) be the language of 
temporal formulas over the alphabet S. For any two processes Pi and P2 with 
sets of variables Tp^ and Sp^, the following axioms have to be satished: 

1 . -Pi = -P2 implies £ £(TpJ[T’i \= p P2 \= p] 

2 . li Pi = P2 then Pi 1 10 = P2IIO and Q\\Pi = 011^2 

3 . (Pi||P2)bp, = PiWiPAu.,) and (Pi||P2)bp, = (AbpJ||^2 

4 . If i)C> G C{Sip) and C L 7 p, then P |= iff Plp^ |= p 
Theorem 1 (Soundness). The Interface Rule is sound. 

To remind the reader, the interface rule states that 

- -P2|x’pi = A 2 , 

- Pi 11^2 1= T, 

- is a CTL formula such that p G £(L 7 pO, 

imply P1IIP2 1 = p. Notice, that restricting P2 to Pp^ produces the same result 
as P2 |(7, where (T — Ppj n Ppj . 

Proof Since P2|x’p^ = A2, then by 2 Pi||T2 = Pi||(P2|x’pJ- By 3 , Pi||(P2|x’pJ = 
(-Pi||-P2)|x’pp hence we also have P1HT2 = (Pi | IP2) lupp And since Pi||A2 |= p 
and p G £(L 7 pO, by 1 we derive (Pi HP2) Ipp^ |= p, and from 4 we immediately 
get Pi I IP2 1 = i)C> as required. 
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5.3 Equivalence of Processes 

We define concrete equivalence relations over the processes that fulhl our require- 
ments and are the most suitable in our framework. We use bisimulation equiva- 
lence and stuttering equivalence with synchronous parallel composition. We also 
give an “efhcient” polynomial algorithm to determine bisimulation equivalence 
between processes and a sketch of the algorithm for stuttering equivalence. 

Definition 1. A model is a triple M = (S,N,L), where S is a set of states, 
N C S X S IS a transition relation and L is a labeling function mapping each 
state into a set of atomic propositions that are true in that state. 



Bisimulation Equivalence. Consider two models M = (S', N, L) and M' = 
{S' , N' , L') with the same set of atomic propositions. 

Definition 2. A binary relation E C S x S' is called a bisimulation relation if 
for any s C S and s' C S' , E{s, s') implies L{s) = L' {s') and 

{i) Sr E S.N{s, r) =y 3r' E S' : N'{s' , r') A E{r, r') 

{ii) Sr' E S' .N'{s' , r') ^ 3r E S : N{s, r) A E{r, r'). 

Definition 3. A bisimulation equivalence is the maximum bisimulation relation 
in the subset inclusion preorder. 

Notice that the definition of a bisimulation relation can be viewed as a fix- 
point equation. Hence, the bisimulation equivalence is just the greatest fixpoint 
of that equation. This gives rise to a simple polynomial algorithm for computing 
the bisimulation equivalence using the well known iterative procedure. We com- 
pute a (decreasing) sequence of relations Eq, E\, . . . until this sequence converges 
to a fixpoint at the n-th step. This convergence is guaranteed in finite-state case, 
since the subset inclusion preorder is well-founded in both directions. Choosing 
an appropriate Eg guarantees that this fixpoint is the greatest fixpoint, therefore 
En is the required bisimulation equivalence. The sequence of relations is defined 
inductively as follows: 

1. sEqs' iff L{s) = L'{s'), 

2. iff L{s) = L' {s') and 

- Vsi[N(s,si) implies 3s([At'(s', s() Asiif„sj]] 

- Vsj[At'(s', sj) implies 3si[N(s,si) Asii3„sj]] 

The complexity of this algorithm is 0{nS), where m in the sum of the sizes 
of the transition relations. There are more efficient algorithms for computing 
bisimulation equivalence, for example the Paige-Tarjan algorithm [24]. It’s com- 
plexity is 0(m log n) in time and 0{m + n) in space, where n is the sum of the 
numbers of states in both models, and m in the sum of the sizes of the transition 
relations. However, it is unclear if this algorithm can employ HDDs as well. 
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Fig. 4. A CPU controller. 



Stuttering Equivalence. Unlike bisimulation, the stuttering equivalence [4, 
16] is usually defined over the computation paths of the models. Intuitively, two 
paths 7T and tt' are considered stuttering equivalent if they can be partitioned 
into hnite blocks of repeated, or stuttered states, and corresponding blocks are 
equivalent in the two paths relative to the labeling functions L and L' of the 
models. Thus, we do not distinguish between two executions that differ only in 
the number of idle cycles between transitions. The stuttering equivalence also 
has a dehnition in terms of the greatest hxpoint. 

Definition 4. A binary relation E C S x S' is called a stuttering relation if for 
any s C S' and s' C S' , s E s' implies L{s) = L'(s') and 

{i) Sr. N{s, r) =y 3 sq, . . . , s]j (n > 0). Sq = s' and r E s'„ and 
VO < i < n. N'fs'i, s]_|_i) and s E s'p, 

(ii) Sr' . N'{s' , r') =y 3 sq, . . . , s^ {m > 0). sq = s and s^ E r' and 
VO < i < m. N{si, Sj'_|_i) and s,- E s'. 

Definition 5. A stuttering equivalence is the maximum stuttering relation in 
the subset inclusion preorder. 

Stuttering equivalence preserves the truth of CTL* formulas that do not in- 
volve the next time operator X [4]. As in the case of bisimulation, we dehne 
inductively a sequence of relations Eq, E\, . . . (that also converges in hnite state 
case) and the stuttering equivalence is the intersection of all the Efs. However, 
instead of computing the direct pre-image at each iteration as we did for bisimu- 
lation, we compute the set of states from which there is a path to the current state 
along which the current labeling L[s) changes exactly once. This involves com- 
puting another least hxpoint. The details of the algorithm are described in [3]. 
A more efficient algorithm based on the Paige-Tarjan algorithm was found by 
Groote and Vaandrager [16] that runs in 0{mn) time. It is unknown, however, 
if this algorithm can use HDDs as well. 

5.4 Interface Processes Example 

As a simple example, we consider a model of the CPU controller [13] (hg. 4). 
The model comprises two parallel processes Pa and Pg called the access unit 
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and the execution unit. The access unit Pa fetches instructions and stores them 
in an instruction queue and maintains a cache of the top location of the CPU 
stack in a special register. The execution unit Pg pops out the instructions from 
the queue and interprets them. A major part of the temporal logic specihcation 
for CPU’s controller dehnes correct behavior for the access unit and consists of 
formulas on the set of signals which are inputs or outputs of the unit. These 
signals constitute Sp^. An example of such a formula is the following 

AG AF fetch 

This formula is a liveness property which states that instructions are fetched 
from the access unit to the execution unit inhnitely often. Fetch is actually 
a propositional formula dehned in terms of request and acknowledge signals 
between the two units. 

The parallel composition of the access unit and the execution unit in our 
design has approximately 1100 reachable states. However, by restricting the out- 
puts of the execution unit to those in Sp^, and then minimizing it, we obtain 
an interface process Ap^ such that Pa\\Ap^ has only 196 reachable states. The 
reason for this reduction is that, while the execution unit interprets many differ- 
ent instructions, the memory accesses of these instructions fall into a few basic 
patterns. 

6 Assume/Guarantee Reasoning 

Assume-guarantee reasoning is a semi-automatic method that verihes each com- 
ponent separately. Ideally, compositional reasoning exploits the natural decom- 
position of a complex system into simpler components, handling one component 
at a time. In practice, however, when a component is verihed it may be neces- 
sary to assume that the environment behaves in a certain manner. If the other 
components in the system guarantee this behavior, then we can conclude that 
the verihed properties are true of the entire system. These properties can be 
used to deduce additional global properties of the system. 

The assume-guarantee paradigm [17,21,23,25] uses this method. Typically, 
a formula is a triple {g)M{f) where g and / are temporal formulas and M is a 
program. The formula is true if whenever M is part of a system satisfying g, the 
system must also satisfy /. A typical proof shows that {g)M{f) and ftrue)M' {g) 
hold and concludes that {true)M || Mff) is true. This proof strategy can also 
be expressed as an inference rule: 

{true)M'(g) (g)M{f) 

{true)M II M'{f) 

The soundness of this simple assume-guarantee rule is straightforward. 

In order to automate this approach, a model checker must be able to check 
that a property is true of all systems which can be built using a given component. 
More generally, it must be able to restrict to a given class of environments when 
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doing this check. An elegant way to obtain a system with this property is to 
provide a preorder A on the hnite state models that captures the notion of “more 
behaviors” and to use a logic whose semantics is consistent with the preorder. 
The order relation should preserve satisfaction of formulas of the logic, i.e. if a 
formula is true for a model, it should also be true for any model which is smaller 
in the preorder. Additionally, composition should preserve the preorder, and a 
system should be smaller in the preorder than its individual components. Finally, 
satisfaction of a formula should correspond to being smaller than a particular 
model (a tableau for the formula) in the preorder. 

Following Grumberg and Long [17], we use synchronous process composition, 
the simulation preorder, and the temporal logic ACTL (a subset of CTL without 
existential path quantihers). This choice is motivated by the expressiveness of 
ACTL and the existence of a very efficient model checking algorithm for this 
logic. The simulation preorder is also a natural choice, since it is simple and 
intuitive as well as easily automated. We employ tableau construction methods 
for converting formulas into processes. Informally, a tableau for a formula p is 
the greatest process A,p (in the preorder) such that A,p |= p. In the remainder 
of this section we will not distinguish formulas and processes and will write, for 
example, M A p to mean M A A,^. 

It can be easily shown that our choice of formalisms meets all the require- 
ments [17]. In particular, for all M and M' we have M\\M' A M , and if M' A A 
then M||M' A M||A, because synchronous composition can only restrict possible 
behaviors. Since M is greater than any system containing M , we can focus on 
proving properties of M in isolation. This insures that the same properties hold 
for an arbitrary system containing M . 

Using the tableau construction we can verify M \= p hy checking the rela- 
tion M A p. In practice, however, we use classical model checking for verifying 
M \= p for a single component M if is given by a formula, and the simula- 
tion preorder if p is an automaton, to increase the efficiency. Assumptions on 
the model correspond to composition. That is, a model M has the same set of 
behaviors under assumptions ip as the model M||^ without any assumptions. 
Thus, our triple {p)M{ip) corresponds to p\\M A ip. In other words, discharging 
assumptions corresponds to checking the preorder. Finally, the rule M A M||M 
allows multiple levels of assume-guarantee reasoning. 

Earlier we mentioned that the logic must preserve the preorder relation. Now 
we formalize and state the properties explicitly. 

1. For all M, M' and p, \i M A M' and M' |= p, then M \= p (removing 
behaviors cannot change a formula from true to false). Since M||M' A M , 
it is enough to check M |= to know that any system containing M also 
satishes p. 

2. For every p, there is a structure T,p such that M |= if and only if M AT,p. 
This allows us to use p as an assumption by composing M with T,p . 

3. Every model of p is also a model of ^ if \= 

These lemmas are proved rigorously in [17] for synchronous composition of pro- 
cesses, the simulation preorder and the logic ACTL. 
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6.1 Implementation of Assume Guarantee Reasoning 

Suppose we want to show that M||M' |= ip. That is, in terms of triples, we 
need to prove {true)M\\M'{ip). We verify that M satishes some property by 
model checking. Next, using as an assumption, we show that M' satishes 
some other auxiliary property cp. Finally, we show that M satishes the required 
property ip under the assumption (p. Since this extends to any system containing 
M , we are done. If the intermediate formulas (or processes) p and {} are much 
smaller than M and M' respectively, then all the transition relations that must 
be constructed are signihcantly smaller than the one for M||M'. This strategy 
for proving M||M' ^ ip can be summarized in the following assume-guarantee 
rule: 



[true)Mpd) pd)M'[p) {p)M{ip) 

{true)M\\M'{ip) 

In our framework, this corresponds to 

M N p p\\M N Ip 

M\\M' N iP 

It is straightforward to show that this rule is sound by using the properties 
of preorder relation stated earlier. 

Theorem 2. The assume-guarantee rule is sound. 

Proof. Since M P id, then M\\M' N t?||M'. Since t?||M' N p, by transitivity 
M\\M' N p. Composing both sides with M we get M||M'||M C Since 

parallel composition is commutative and associative, we can group the left hand 
side as M||M||M'. Then using M C M||M and composing both sides with M' 
we obtain M||M' C Finally, from the last assumption p\\M C ip and 

transitivity we draw the conclusion of the rule M||M' C ip. 

So far, we have not discussed fairness. Both the preorder and the semantics 
of the logic should include some type of fairness. This is essential for model- 
ing systems (hardware or communication protocols) at the appropriate level of 
abstraction. Moreover, fairness is necessary for the ACTL tableau construction. 

Unfortunately, no efhcient technique exists to check or compute fair pre- 
order between models. In [17], Grumberg and Long suggest how to check the 
fair preorder only for a few trivial cases. Kupferman and Vardi showed that the 
general case is PSPACE-hard to compute [22]. Flenzinger, Kupferman, and Ra- 
jamani [18] have proposed a new type of fair preorder that can be computed in 
polynomial time. However, it is not clear that this preorder is appropriate for 
compositional reasoning. 



Example: The Puturebus+ Protocol. David Long has used this type of 
reasoning to verify safety and liveness properties for the Futurebus-1- standard 
of cache coherence protocol [12,19]. The whole design is divided into parallel 
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components that represent single modules like cache, memory, bus, etc. This 
example requires several levels of assumptions and guarantees. 

The hrst stage of the verihcation was to check safety properties, since they 
can be verihed using only forward reachability analysis and checking at each 
iteration that the current set of reachable states satishes the property. Once a 
violation is found, the search is terminated immediately and an error trace is 
generated. The ability to terminate the search early was important since the 
BDD representing the set of reached states tended to become very large once an 
erroneous transition had occurred. As soon as all of the basic safety properties 
were satished, more complex formulas were checked in the state space restricted 
to the set of reachable states. Such a restriction also helped greatly in keeping 
the BDD from blowing up in size. 

Using this technique he found specihcations that were satished by a single 
bus conhguration but not by multiple bus conhgurations. The details of the 
verihcation can be found in [12]. 

7 Conclusions 

We describe several methods of dealing with the state explosion problem, which 
arises frequently due to parallel composition of processes. It is clear that compo- 
sitional reasoning is critical in formal verihcation. Such techniques dramatically 
reduce the complexity of model checking and permit the verihcation of signih- 
cantly larger systems. We have used compositional methods extensively to verify 
large complex systems such as the Futurebus-f [12] and the PCI bus [10, 20] pro- 
tocols. 

This paper does not cover all of compositional proof techniques. There are a 
number of other compositional techniques that can also be successfully used. For 
example, partial model checking [1] encodes one of the processes into the formula, 
which is being checked, and simplihes the resulting formula. Similar method is 
described in [2]. Theorem proving techniques are also used to decompose and 
prove (manually) the property for each of the component [15,26]. 

In general, all of the compositional model checking techniques have their 
limitations and much work remains to be done. The most important problem is 
the trade-off between efficiency and automation. More powerful methods that 
can handle enormous complexity usually require an expert user and signfficant 
manual effort. These techniques usually rely on a powerful theorem prover under 
human guidance or careful choice of model checking parameters. On the other 
hand, completely automatic techniques frequently cannot handle extremely com- 
plex systems. The problem with automatic techniques is that they rely heavily 
on heuristics which may or may not work on different types of examples, and 
most of the intellectual work still has to be done by the user. 
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1 Introduction 

Timed systems can be modeled as automata (or, generally, discrete transi- 
tion structures) extended with real- valued variables (clocks) measuring the time 
elapsed since their initialization. The following features are also common in the 
above models. 

— States are associated with time progress conditions specifying how time can 
advance. Time can progress at a state by t only if all the intermediate states 
reached satisfy the associated time progress condition. 

— At transitions, clock values can be tested and modihed. This is usually done 
by associating with transitions guards (conditions on clocks) and assign- 
ments. If a guard is true from an automaton state and a given clock valu- 
ation, the corresponding transition can be executed by modifying clocks as 
specihed by the corresponding assignment. 

Time progress conditions can be used to specify urgency of transitions. Max- 
imal urgency is achieved at a state if the corresponding time progress condition 
is equal to the negation of the disjunction of the guards of the transitions is- 
sued from this state. This implies that waiting at the state is allowed only if 
there is no enabled transition. As soon as a transition is enabled, time cannot 
progress anymore and the execution of the enabled transition (s) is enforced. 
Minimal urgency is achieved at a state when the corresponding time progress 
condition is true which implies that time can advance forever from this state 
and consequently indehnite waiting is allowed. 

Choosing appropriate time progress conditions for complex system specihca- 
tions is not a trivial problem as it is claimed in [SY96,BS97b,BS97a]. In many 
papers, time progress conditions have been dehned as invariants that must be 
continuously true by clock valuations at the corresponding states. This implies 
that when a state is reached the associated invariant must be satisRed and makes 
modeling of absolute urgency sometimes difficult (for instance, in the case where 
a transition must be executed as soon as it is enabled). 

The problem of the definition and use of time progress conditions has been 
tackled in [SY96,BS97b]. The purpose of this work is to show how the applica- 
tion of results presented in [BS97b] leads to a modeling methodology for timed 
systems. Emphasis is put on pragmatic and methodological issues. The basic 
ideas are the following. 

W.-P. de Roever, H. Langmaack, and A. Pnueli (Eds.): COMPOS’97, LNCS 1536, pp. 103-129, 1998. 
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— A timed system can be specified as the composition of timed transitions. 
The latter are transitions labeled, as usual, with guards and assignments 
but also with deadlines, conditions on the clocks that characterize the states 
at which the transition is enforced by stopping time progress. We require 
that the deadline of a transition implies its guard, so that whenever time 
progress is stopped the transition is enabled. 

— The guards and deadlines may contain formulas with past and future modal- 
ities concerning the evolution of clock values at a state. The use of such 
modalities does not increase the expressive power of the model but drasti- 
cally enhances comfort in specihcation. 

The paper is organized as follows. In section 2 we dehne Timed Automata 
with Deadlines (TAD) which are a class of Timed Automata [ACD93,HNSY94] 
where time progress conditions depend on deadlines associated with transitions. 
We show that using TAD makes urgency specihcation easier. In section 3 we 
present the model of Petri Nets with Deadlines (PND), which are (1-safe) Petri 
nets extended with clocks exactly as TAD are extensions of automata. We com- 
pare PND with different classes of Timed Petri Nets (TPNs) and show that safe 
TPNs can be modeled as PND. Section 4 presents some applications to modeling 
systems and in particular to modeling multimedia documents. 

2 Timed Automata with Deadlines 

2.1 Definitions 

Definition 1 (Timed Automaton with Deadlines (TAD)) 

A TAD is : 

— A discrete labeled transition system (S', — t. A) where 

• S is a finite set of discrete states 

• A is a finite vocabulary of actions 

• — 5>C S X A X S is a untimed transition relation 

— A set A = {xi, . . . , Xm} of real-valued variables called clocks with dom(xi) G 

R+ 

— A labeling function h mapping untimed transitions , elements of — ;>, into timed 
transitions: h{s,a,.s') = {s, {a, g, d, r), .s'), where 

• g, d are respectively the guard and the deadline of the transition. Guards 
and deadlines are predicates p defined by the following grammar : 

p ::= x)(c I X — y)(c \ p A p \ ~<p 

where *, j/ G A, c is an integer and )( G {<;<}• We assume that d ^ g. 

• r C A is a set of clocks to be reset. 



Definition 2 (Semantics of a TAD) 

A state of a TAD is a pair (s, v), where s G S is a discrete state and v G R™ 
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is a clock valuation. We associate with a TAD a transition relation — 5>C (S x 
R™) X (AUR-i-) X (S' X R™). Transitions labeled by elements of A correspond to 
discrete state changes while transitions labeled by non-negative reals correspond 
to time steps. 

Given s G S, if {(s, ap is the set of all the transitions issued from s 

and h{s, ai,Si) = (s, (ap^fp di, r,), si) then : 

— Vi G / Vri G R-i- . (s, r>) (spr>[ri]) if gi(v) where v[ri\ is the variable 
valuation obtained from v when all the clocks in rg are set at zero (and the 
others left unchanged). 

— (s, v) (s,v + 1) if W < t . Cg(v + i') where = -i Vig/ ^.nd v + t is the 
valuation obtained from v by increasing all the clock values by t. 

We call Cg the Time Progress Condition (TPC) associated with the discrete 
state s. 



We consider TAD such that for any state s the TPC Cg is right-open. 



2.2 About time-progress conditions 

Notice that the simplest TAD is a single timed transition (s, {a,g, d, r), s') with 
untimed transition (s,a,s'), guard g, deadline d and reset set r. The guard g 
characterizes the set of states from which the timed transition is possible while 
the deadline d characterizes the subset of these states where the timed transition 
is enforced by stopping time progress. The relative position of d with respect to 
g determines the urgency of the action. For a given g, the corresponding d may 
take two extreme values: hrst, d = g, meaning that the action is eager and, 
second, d = false, meaning that the action is lazy. A particularly interesting 
case is the one of a delayable action where d is the falling edge of a right-closed 
guard g (cannot be disabled without enforcing its execution). The above cases 
are illustrated in hgure 1. 

The condition d ^ g guarantees that if time cannot progress at some state, 
then at least one action is enabled from this state. Restriction to right-open 
TPCs guarantees that deadlines can be reached by continuous time trajectories 
and permits to avoid deadlock situations in the case of eager transitions. (For 
instance, consider the case where d = g = x > 2, implying the TPC x < 2, 
which is not right-open. Then, if x is initially 2, time cannot progress by any 
delay t, according to dehnition 2.1 above. The guard g is not satished either, 
thus, the system is deadlocked.) The assumptions above ensure the property of 
time reactivity, that is, time can progress at any state unless a untimed transition 
is enabled. 

Branching from a state s can be considered as a non-deterministic choice 
operator between all the timed transitions issued from this state. The resulting 
untimed transition relation is the union of the untimed transition relations of the 
combined timed transitions. The resulting time step relation is the intersection 
of the time step relations of the combined timed transitions. 




106 



S. Bomot, J. Sifakis, and S. Tripakis 



9 



d = g 



eager 



d = g 



delayable 



d = false 



lazy 



Fig. 1. Using deadlines to specify urgency. 



Compared to the Timed Automata (TA) model [HNSY94], TAD differ in 
that TPCs are not given explicitly but rather derived from the deadlines which 
specify urgency of individual timed transitions. Thus, TAD are a subclass of TA 
that are time-reactive. 

We believe that using deadlines rather than directly TPCs allows an easier 
modeling of urgency. Consider, for example, the TA in hgure 2 which differ only 
in their TPCs. Clearly, the TA (1) and (2) specify the same behavior when s 
is reached with values * < 5. However, (1) does not satisfy the time reactivity 
requirement and cannot be obtained from a TAD, while (2) can be obtained by 
supposing that a is delayable (di = 5) and h is eager or delayable (c ?2 = 5). The 
case (3) corresponds to eager actions a and h and (4) to lazy actions. 
Definition 3 (Urgency types) 

For convenience, we replace explicit deadlines in transitions by the urgency types 
I, 1,, ;, which are simply notations meaning that a transition is eager (d = g), 
delayable (d = g (), lazy {d = false), respectively. 

Notice that any TAD can be transformed into an equivalent TAD with only 
eager and lazy transitions. 

For complex systems, computation of TPCs from deadlines of transitions 
may be useful as shown by the following example. In table 2.2 we give the TPCs 
Cg associated with state s (hgure 3) for different types of urgency (I = eager, I 
= delayable, ; = lazy) of the transitions (s,ai,si) and ( 5 , 02 , 52 )- 
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2 < X < 7) 
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y = 7 


y = 7 \/ X = 5 


y = 7 y 2 < X <7> 
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4 < t/ < 7 


i<y<7Vx=5 


4<t/<7V2<*<5 



Notice that the use of urgency types to induce deadlines could lead to right- 
closed TPCs (for example, consider the case where a transition is eager and has 
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Fig. 2. Modeling urgency with TPCs. 
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Fig. 3. Computing TPCs. 
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a left-open guard, say, 1 < * < 2 ). This can be avoided by ensuring that eager 
transitions have always left-closed guards. 

2.3 Priority Choice 

It is often useful to consider that some priority is applied when from a state sev- 
eral timed transitions are enabled. This amounts to taking the non-deterministic 
choice between the considered transitions by adequately restricting the guards 
of the transitions with lower priority. 

Consider, for example, two timed transitions (s, dp r,), s,) for i = 1,2 

with a common source state s. If ai has lower priority than 02 in the resulting 
TAD the transition labeled by 02 does not change while the transition labeled 
by fli becomes (s, (ai, ff\, d'l , ri), si) where =y ffi and d'l = di A ff\. 

Commonly, is taken to be ffi A which means that whenever ai and 
fl2 are simultaneously enabled, ai is disabled in the prioritized choice. However, 
for timed systems other ways to dehne are possible. One may want to prevent 
action ai to be executed if it is established that 02 will be eventually executed 
within a given delay. 

For this reason we need the following notations. 

Definition 4 (Modal operators) 

Given a predicate p on A as in definition 2 . 1 , we define the modal operators 
C < fe p ( “eventually p within k ” ) and 0 < k P ( “once p since k”), for k G R_|_ U { 00 } . 

p (v) if 3 t E R_|_ 0 <t < k. p{v + t) 

<k P (v) if 3 t E R+ 0 <t < k. 3 v' E V. v = v' + t A p{v') 

We write Op and Op for O<oo P and O <00 P, respectively, and Dp and □ p for 
-> 0 ->p and -lO ->p, respectively. 

Notice that modalities can be eliminated to obtain simple predicates without 
quantifiers. For example, 0(1 < * < 2 ) is equivalent to * < 2 . For notational 
convenience, we shall be using in the sequel guards and deadlines with modalities. 

Coming back to the example above, we can take g[ = gi A ~' 0 <kd 2 or even 
= gi A n-1^2- In the former case, ai gives priority up to 02 if 02 is eventually 
enabled within k time units. In the latter case, ai is enabled if 02 is disabled 
forever. 

It is shown in [BS 97 b] that for timed systems it is possible to define priority 
choice operators applicable to a set of timed transitions and parameterized by 
a priority relation < C A x R_|_ x A. If (ai, k, 02) E < (denoted ai <k 02) then 
the priority choice applied to a given set of timed transitions restricts the guard 
gi of a transition labeled by ai so as to disable ai whenever 02 is to be enabled 
within k time units. In [BS 97 b] is is also shown that if the priority order satisfies 
some “transitivity conditions” then the corresponding priority choice preserves 
deadlock freedom in the following sense: If {gi}i^j are the guards of a set of 
timed transitions and {g'i}i£i are the modified guards obtained by application 
of the priority-choice operator then 0 \f^^jgi = “Oy^^jg'^ and Ogi => C(^( V 
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Vafe a <ko- s'j)- latter property says that if from a state the i-th transition is 
eventually enabled in the non-deterministic choice, then in the prioritized choice, 
either the i-th transition will be eventually enabled, or some transition of higher 
priority. 

Let us illustrate the above ideas with an example. Consider the priority 
choice between two timed transitions with respective labels (ap gi, di, r,), i = 1, 2, 
such that fli has lower priority than 02 , where ^i = 0<*<4V*>6 and 
g 2 = 2 < X < 7 for some x. We get the following decreasing values for g' i as the 
priority delay increases: 




0123456789 

Fig. 4 . Different priorities for 02 over ai. 



Cll <0 



ttl <1 «2 



^1 ^00 ^2 



g'-^^ = gi A ->g 2 = 0<x<2Vx>7 (immediate priority) 

g'^ = gi A ~<0<:ig2 = 0<x<lVx>7 (priority within a delay of 1) 

g'^ = gi A ~<Og2 = X > 7 (priority within an inhnite delay) 

Figure 4 illustrates the above example. The Rrst case corresponds to the “clas- 
sical” priority choice, where ai is disabled whenever 02 is enabled. The second 
case is stronger: ai is disabled also in case 02 becomes enabled in at most 1 time 
unit. The third case is the strongest: ai is disabled whenever it is possible for 02 
to become enabled sometime in the future. 

Finally, we should note that the use of negations to generate priority could 
lead to right-closed TPCs. When urgency types are used, this can be avoided by 
ensuring that a lazy transition never has higher priority over an eager transition. 
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3 Petri Nets with Deadlines 

3.1 Definition 

For the sake of simplicity, we consider the timed extensions of 1-safe Petri nets. 
Definition 5 (Petn Net with Deadlines (PND)) 

A PND consists of : 

— A (1-safe) Petri net (V,T,A) where : 

• V is a finite set of places. 

• A is a finite vocabulary of actions. 

• T X Ax 2^ is a transition relation. 

— A set A = {xi, . . . , Xm} of clocks. 

— A labeling function h mapping untimed transitions elements of T into timed 
transitions : h{P,a, P') = {P, {a, g, dN)j P') ■. where P, P' CV. 

As usually, we represent a PND as a bipartite labeled graph with two types 
of nodes (places and transitions), see figure 5. The transitions are labeled with 
action names, guards, deadlines and resets. 



Pi Pm 




Fig. 5. The transition ({pi, . . . ,Pm}, {a,g,d, r), {p\,. . . ,p'„}). 



We define the semantics of a PND in terms of a TAD. 
Definition 6 (TAD associated to a PND) 

A PND (P, T, A, X, h) defines a TAD (S', — t. A, X, h') such that : 

- S = 2A 

- p A, p' a {p,a,p') e T 

- h'{P,a,P') = h{P,a,P'). 
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The above definition simply means that a PND is a TAD where the discrete 
transition structure is the corresponding marking graph. The transitions of the 
marking graph are submitted to the same timing constraints as the transitions 
of the PND. So PND are extensions of PNs where transitions are submitted to 
timing constraints exactly as TAD are extension of automata. 

By adopting standard PN terminology, we will say that there is a token in 
place p when p is an element of the current state in the marking graph. Places 
are local states of processes. A transition with several input places represents a 
synchronization of several processes. It is enabled only if its input places have a 
token and the associated timing constraints are satished. 

An example of PND is given in hgure 6. 




Fig. 6. A PND and its corresponding TAD. 



3.2 Synchronization modes 

We introduce some useful macro-notations that allow concise description of syn- 
chronization guards in terms of timing constraints about the synchronizing pro- 
cesses. 

We hrst dehne three different synchronizing modes that correspond to differ- 
ent types of coordinations between processes. We suppose that, for a synchro- 
nization transition, are given “local guards” gi expressing timing constraints 
about termination of each contributing process. We associate each guard gi with 
an input arc of the synchronization transition (hgure 7). A mode dehnes a way 
of composing the guards gi to obtain the synchronization guard g. 

AND-synchronization : The resulting guard g is the conjunction g = 

Aie[i n] 3i of input guards. This simply means that synchronization is pos- 
sible only if all processes can terminate together. In the example of hgure 8, we 
get = £ri A £f 2 = 3 < * < 7. 

MAX-synchronization : Synchronization can take place only if all the 

contributing processes have terminated. This implies synchronization at times t 
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Pi Pm Pi Pm 




Fig. 7. Meaning of synchronization notation. 



91 

92 

AND{gi,g2) 
MAX {gi,g2) 
MIN{gr,g2) 




2<x<b 
3 < X <7 
3 < X < 5 
3 < X <7 
2 < X < 5 



Fig. 8. Resulting guards for the three synchronization modes. 
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bounded by the maximum of the earliest termination times and the maximum 
of the latest termination times of the contributing processes. 

For this synchronization mode, we take g = Vi6[i n] 6 '®' ^ 9j- 

i-th term of the guard means that the i-th process can terminate (now) while 
the others have already terminated. This allows to specify synchronization with 
mutual waiting of all the contributing processes if Ogi holds when the input place 
Pi is reached. Otherwise it may happen that before reaching an input place pi 
the guard has been already satished but this does not correspond to termination 
of Pi . 

In the example of hgure 8 , we get g = gi A g^j) V (O ^i) A 52 = 3 < * < 7. 

MIN-synchronization : Synchronization takes place when one of the con- 
tributing processes terminates and the others will eventually terminate. This 
corresponds to a kind of interrupt where the fastest process triggers the syn- 
chronization transition even though the other processes have not terminated. 
Notice that synchronization times t are bounded by the minimum of the earliest 
and the minimum of the latest termination time of the contributing processes. 

We take g = Vi6[i n] 6'®' term of the guard means that 

the i-th process can terminate (now) and all the others will eventually terminate. 

For the example of hgure 8 , we get g = gi A Og 2 V Ogi A ^2 = 2<*<5. 



3.3 Translating safe timed Petri nets into PND 

Many different classes of timed Petri nets (TPNs) have been dehned. An impor- 
tant difference between TPNs and PND is that in the former timing constraints 
are local and associated with tokens. A comparison of the two models in the 
general case of non-safe Petri nets is out of the scope of this paper and is the 
object of an ongoing work. Here, we restrict our attention to 1-safe TPNs. 

Place-TPNs : [Sif77] In this class of TPNs, intervals [k,Ui] are associated 
with places pi . A token arriving at a place pi cannot be used for bring an output 
transition for some time t, li <t < Ui. After this time it becomes available. A 
transition hres as soon as all its input places have available tokens. 

The principle of a method for translating Place-TPNs to PND is illustrated 
in figure 9. 

Transition-TPNs : [Mer74] In this class of TPNs, intervals [li, Ui] are asso- 
ciated with transitions r,-. A timed transition r,- hres in times t, li <t< Ui after 
the corresponding untimed transition becomes enabled. 

The principle of a method for translating Transition-TPNs to PND is illus- 
trated in hgure 10 . 

Stream-TPNs : This type of TPNs is introduced in [SDdSS94]. Given a 
transition r, an interval [li,Ui] is associated with each input arc (ppr) of r. A 
token entering the input place pi must wait for a time t, li < t < Ui, before 
becoming available for the transition r. 

Nine different synchronization modes for stream TPNs are dehned 
in [SDdSS94] (see hgure 11). For each input place pi of the synchronization 
transition r, two timers Xi and yi are dehned as follows: Xi '=^ max(li — tpO) 
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Fig. 9. From Place-TPNs to PND. 




Fig. 10. From Transition-TPN to PND. 
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Schematically, for two components. 



Synchronization modes [SDdSS9^] 
AND 

\rnax{x i) , max{rnin{ii i) , max{x^\ 



WEAK-AND 

\rnax[x i) , max^yi)] 



OR 

\rnin[x i) , max[y i)\ 



STRONG-OR 

\rnin[x i) , mm(yj)] 



MASTER 



OR-MASTER 

[min {x i), ym\ 



9i 
9i 
9i 

■tt 

9i 

kt 



AND-MASTER 

[max[x i) , max[ym, max[x 



STRONG-MASTER 

[x m, max[min[y i) , x m)"] 



The corresponding TAD guard. 

(si A ga) V ((gi A -.Oga) J.) V ((ga A “'Ogi) J,) 



y 1 

Nl 

9i 

A 



WEAK-MASTER 

[x m , max[y i)"] 



9i 



(si A O gj) V (g2 A O gi) 



(Ogi A O gj) V (Og2 A O gi) 



(Si A Og2) V (g2 A Ogi) 
V 

ihogi) ;) V ((-Og2) ;) 



gi V ((-'Ogi) J,) 



gi V ((-'Ogi) ),) V (Ogi A O g2) 



(Si A O g2) V ((g2 A -'Ogi) ),) 



(Si A Og2) V ((gi A -'Og2) J.) 



gi V (O gi A Og2) 



Fig. 11. Synchronization mode for Stream-TPNs. 
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and Hi = max{ui — where ti is the elapsed time since the arrival of the 

token at place pi. Thus, Xi and yi are taken to be the “current” lower and upper 
bounds for the enabledness of each input arc {pi, r). 

The nine synchronization modes are shown in the leftmost column of hg- 
ure 11. Notice that, in the hgure, max and min denote the usual mathematical 
operators and are not to be confused with the MAX and MIN synchroniza- 
tion operators dehned previously. Also, we write max(xi) as a shorthand for 
maxi-i n{xi}, and similarly for min. The middle column of the hgure displays 
the guards induced by each of the synchronization modes, for n = 2, where 
9i — \.^i 1 ^*] • 

The model of stream-TPNs can also be translated into our model, as shown 
in the right-most column of hgure 11. 

4 Applications 

4.1 Producer Consumer 

We show how PND can be used to model a system composed of a producer and 
a consumer communicating via a zero-length buffer. The producer takes between 
Ip and Up time units to produce an item, which is then made available to the 
buffer after a delay between and u^ time units. The consumer needs between 
Ic and Uc time units to consume an item and is ready for a new item after a delay 
between /' and u'^ time units. The above delays are measured using one clock 
per process, namely, x for the producer and y for the consumer. Figure 12(a) 
shows the two processes modeled as PND. 

Whenever the buffer is full and the consumer is willing to take an item, the 
latter is exchanged between the two processes by an instantaneous handshake. 
The latter is represented by the synchronization transition of the PND corre- 
sponding to the composition of the two processes, shown in hgure 12(b). The 
guard g of the handshake transition can be chosen to be either g' or g” , where: 

g' = AND(/p < X < Up,l'^ < y < «() 

= Ip < X < Up A I'c < y < 
g" = MAX(/p < X < Up,l'^ < y < «() 

= Ip < X < Up Al'^ < y V I'p < X Al'^ < y < u'^ 

In the hrst case, the temporal constraints are considered “hard”, that is, it is 
required that both lower and upper bounds of the intervals [/(,,«),] and [/(,«(.] 
are respected in order for the handshake to take place. (An informal explanation 
of this choice could be that m), represents the “expiring date” of the item, while 
is the maximum time the consumer can wait, after which he/she “starves to 
death” .) AND synchronization is commonly used in the composition of systems, 
however, it is a strict synchronization mechanism which often leads to deadlocks. 

In the case of MAX synchronization, temporal constraints are “looser”, that 
is, only one of the upper bounds is required to hold. (Informally, this might 
represent a more realistic situation, where the item never looses its value, while 
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empty full 

P 

h < y < Uc, i _ _ l'c< y < m ' c , ^ Ip < X < Up, i 
y := 0 y := 0 a; := 0 

o 

consume (a) produce 

empty full 

< X < Up, 

:= 0 

consume produce 

(b) 





Fig. 12. Producer-Consumer system modeled as PND. 







118 



S. Bomot, J. Sifakis, and S. Tripakis 



the consumer is willing to wait.) MAX synchronization guarantees the absence 
of deadlocks. Moreover, combined with appropriate deadlines, it can model syn- 
chronization with minimal or maximal waiting, as we show below. 

Regarding the urgency type of the synchronization transition, in the case of 
AND synchronization it is reasonable to assume that the transition is delayable, 
which gives the deadline: 

d' = g' I = X = Up A l'^ < y < u'^ V y = u'^ A I'p < x < u'p 

In the case of MAX synchronization more than one possibilities are of interest, 
namely: 

— The choice of delayble transition corresponds to a maximal- waiting policy: 

d" = g" = X = Up Ay > u'^ V y = u'^ A x > u'p] 

— The choice of eager transition corresponds to a minimal-waiting policy; 

— The following choice corresponds to a “best-effort” synchronization scheme, 
where either no upper bound is violated if possible, or the transition is 
executed as soon as possible, in the case of violation: 

d'" = d' V X = I'p A y > u'^ V y = I'c x > u'p. 

Notice that d'" cannot be obtained using any of the urgency types I, or 

4.2 Variations on the theme of mntnal exclnsion 

We consider the generic mutual-exclusion situation shown in hgure 13. A resource 
is shared by two processes Pi and P2 and can be used by at most one of them 
at any time. Each time it is used, the resource is again available after an amount 
of time which can vary in an interval L Process Pi occupies the resource for an 
amount of time in an interval C\, for i = 1,2. From the moment it has hnished 
using the resource. Pi is ready to use it again after some delay in an interval Wi. 
In the PND model shown in the hgure, clocks x\, x^ and z are used for Pi, P 2 
and the resource, respectively. 

There are different policies of granting the resource to the processes, depend- 
ing on how strict the temporal constraints of the problem are taken to be and 
also on whether an optimal utilization of the resource is sought. We examine 
some of these policies below, showing how they can be modeled by appropri- 
ately choosing the guards gi and the urgency types Si shown in the hgure, for 
i = 1,2. We assume that I = [l,u],Wi = [k, Ui] and C'i = [/), «)], for i = 1,2 (the 
analysis can be generalized to unbounded intervals). 

— gi = AND(*i G Wi,z G I). In this case the temporal constraints are hard. 
Then, if process Pi manages to get the resource, it is guaranteed to do so at 
most Ui time units after the time it has released it. On the other hand, the 
resource is guaranteed not to be left idle for more than u time units after 
it has been used for the last time. The problem of this method is that it 
can easily lead to deadlocks, either local (i.e., where one process starves) or 
global (i.e., where the whole system is blocked). 
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waiti resource wait2 




— gi = MAX(*i G Wi,z G I). In this case the temporal constraints are loose 
and the specihcation is deadlock-free for any (non-empty) intervals I , Wi 
and C\. 

— gi = [xi e Wi) A O {z e T) or gi = (O Xi £ W-) A (z £ /). These are 
intermediate choices, looser than AND synchronization, however, without 
avoiding deadlocks completely. In the hrst case, the upper bound of the 
resource’s interval is ignored, while in the second case, the processes’ upper 
bounds are ignored. 

Regarding the urgency type of the synchronization transition, it can be cho- 
sen to be either eager or delayable (lazy synchronization is not meaningful in 
this case). Delayable is the less strict choice, minimizing the risk of deadlocks 
in the case MAX is not used. Eager implies that a better utilization of the re- 
source (i.e., less idle time) is achieved. However, if MAX synchronization is not 
used, the risk of deadlocks is greater than in the delayable case, since the time 
non-determinism is reduced. 

We hnally consider the situation where process Pi is given a higher priority 
with respect to process P2- This is typically the case when Pi demands the 
resource much less frequently than P2 (for example, when Pi is the process 
handling the keyboard, while P2 is any batch process). We can model the different 
priorities by enforcing the guard g2 into g'2 = g2/\~'^<ui^9i, where u'^ is the upper 
bound of interval C2. The intention is to let P2 have the resource only if it is 
guaranteed to hnish before Pi becomes ready. 

4.3 Deadline-monotonic schednling withont preemption 

We consider the following real-time scheduling problem. We are given a single 
processor and a set of periodic tasks Pi, Pntohe executed upon this processor. 
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Task Pi has a computation delay Ci and becomes ready for execution every Ti 
time units (the period of Pi). Furthermore, Pi needs to be completed at most Di 
time units after the moment it becomes ready (the deadline of Pi). We assume 
that, for each i = 1, ...,n, we have C) < Di < Ti. The processor can execute 
only one process at a time and no preemption is allowed, that is, execution of a 
process cannot be interrupted and continued later on. See hgure 14. 



task ready 



deadline expires 

-J \ / ■■■ 

^ 1 ^ 



Tj (period) 



Fig. 14. Deadline-monotonic scheduling assumptions. 



We show how Petri nets with deadlines can be used to model the so-called 
deadline-monotomc algorithm [ABRW91] which solves the above scheduling 
problem. ^ The algorithm is based on assigning .static priorities to tasks ac- 
cording to their deadlines. In particular, higher priorities are assigned to tasks 
with shorter deadlines and no two tasks have the same priority (in case two tasks 
have equal deadlines, their relative ordering is chosen arbitrarily). 

Figure 15(a) shows the PND modeling task Pi. The net has three places, 
namely, sleep,- (the task hasn’t become ready yet), wait,- (the task is ready and 
waiting to be served) and use,- (the task is being served). Two clocks are used 
per task, namely, Xi and j/p Xi counts the period Ti and also makes sure that 
the deadline Di is not violated; yi counts the computation delay C\. 

Figure 15(b) shows the PND modeling the deadline-monotonic scheduling 
algorithm for two tasks Pi and P 2 , assuming that the hrst one has higher priority 
(i.e., Di < D 2 ). The processor is modeled as a single place the token of which 
is necessary in order for a task to execute. Priority of Pi over P 2 is ensured by 
placing the guard xi < Ti in the transition wait2 — t use2. Transitions wait,- 
use,' are both eager while all other transitions are delayable. 

Using Kronos, we test the schedulability of two tasks for various values of 
the parameters C\, Di,Ti,i = 1,2. The test is performed as follows. We hrst re- 
place the parameters by their values and generate the TAD corresponding to the 
resulting PND. Next, we translate this TAD to a classical TA with time-progress 
conditions by using extra clocks to specify the urgency of certain transitions. Fi- 
nally, we test whether in the TA there exist reachable states which are zeno, that 
is, from which time can no longer progress. In fact, there are two cases: either 
all reachable states of this TA are zeno, meaning that the tasks are not schedu- 



^ We model a simplified version of the algorithm. Actually, deadline-monotonic 
scheduling uses preemption. 
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sleep^ sleep 2 

(a) (b) 

Fig. 15. Deadline-monotonic scheduling modeled as PND. 



lable, or no zeno reachable states exist, which means that deadline-monotonic 
scheduling can be applied. 

4.4 Specification and verification of mnltimedia docnments 

Description This application deals with modeling a multimedia document as 
a PND which can then be analyzed in order to check whether the document 
admits an execution scenario. More precisely, we consider (a simplified version 
of) Madeus [JLSIR97] as the specification language of multimedia documents. 
This language combines operators from Allen’s interval temporal logic [A1183] 
with waiting and interruption operators. 

The building blocks of a document are media objects representing a piece of 
information which has to be “played” continuously for a certain duration. The 
latter can be either fixed, or variable, in which case some flexibility is allowed in 
the presentation of the object. Let O = {Oi, ..., 0„} be the set of media objects. 
With each Oi we associate a duration interval li of one of the following types: 
[/, u], [I, u), [I, oo) or (/, oo), where I, u are natural constants. 

Documents are tree-like structures, built according to the following syntax: 

T> ::= O I op T >2 

where 0^0 and op is an operator among meets, equals, overlaps, parmin, 
parmax, and parmaster. We require that each object 0^0 appears at most 
once in any document specification T>. 

Each operator has a dual function: First, it builds a composite document from 
two simpler ones. Second, it imposes constraints on the order of the starting and 
finishing times of the component documents. These constraints can be trivial, as 
in the case of the meets operator, or more demanding, as in the case of equals, 
where consistency has to be ensured. Before giving the translation of a document 
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specification to a PND, let us present intuitively the meaning of the operators 
dehned above. 

— T>i meets T>2 is the document starting when T>i starts, hnishing when T>2 
hnishes, and where the end of T>i coincides with the beginning of T>2', 

— T>i equals T>2 is the document where T>i and T>2 start and hnish at the same 
time; 

— T>i overlaps T>2 is the document starting when T>i starts, hnishing when T>2 
hnishes, and where the beginning ofX>2 is strictly later than the beginning of 
T>i , and the end of T>i is strictly later than the beginning of T>2 and strictly 
earlier than the end of T>2', 

— T>i parmin T>2 is the document where T>i and T>2 start at the same time, 
and the one which hnishes hrst terminates the document; 

— T>i parmax T>2 is the document where T>i and T>2 start at the same time, 
and the one which hnishes last terminates the document; 

— T>i parmaster T>2 is the document where T>i and T>2 start at the same time, 
and the document hnishes whenever T>i does. 



Modeling With each media object Oi,i = 1 , ..., n we associate a clock Xi. Also, 
given a set of clocks X , we denote hy X := 0 the resetting of each clock in A to 
zero. 

We now dehne the translation of a document specihcation T> to a PND A". 
The dehnition is by induction on the syntax of T>. The media object Oi is trans- 
lated to the net shown in hgure 16 . 



ti 



true 

Xi := 0 




Xi G li 



Fig. 16. The PND corresponding to the basic media object O,. 



In order to construct the PND for a document T>i op T>2, we assume having 
already the PND Ai and A2 corresponding to T>i and V2, respectively. These 
nets have the general form shown in hgure 17 , that is, a single starting transition 
ti, a single hnishing transition guarded by gi, and a body displayed as a dashed- 
line box in the hgures. All the transitions are delayable, apart from the initial 
transition which is eager. Also, we assume that this is the case for all the PND 
resulting from the constructions shown in the sequel. It is easy to see that the 
PND of a basic object conforms to this general scheme. The constructions that 
are presented below preserve this general scheme. 

Figures 18, 19 and 20 show the PND corresponding to T>i meets T>2, 
T>i equals T>2 and T>i overlaps T>2, respectively. For the operators parmin. 
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true ^ §i 

Xi := 0 



Fig. 17. The general form of PND J\fi corresponding to a document 



parmax and parmaster the construction is identical to the one for equals, with 
the difference that the guard g\ A §2 of the finishing transition t' is replaced by 
MIN(5fi,5f2), MAX{gi,g2) and MASTER(5fi , £f2), respectively. 




Verification Given a document specification T>, we are interested in checking its 
consistency , that is, whether the temporal constraints imposed by the various 
operators and the duration intervals of each basic object are compatible. For 
instance, the specification Oi equals O 2 is consistent if and only if the duration 
intervals Ii and I2 have non-empty intersection. 

To check consistency, we proceed as follows. We first construct the net Af 
corresponding to the specification T>. Next, we build the TAD A associated with 
Af and add two extra locations Begin and End to A. The former is the initial 
location, source of the (unique) edge of A corresponding to the starting transition 
of Af ■ End is the target location of the (unique) edge of A corresponding to the 
finishing transition of Af . End has no outgoing edges. Finally, we check whether 
End is reachable from Begin. If this is the case then T> is consistent and we also 
obtain a sample execution scenario in the form of a run of the automaton A. 
Otherwise, the specification is inconsistent. The reachability test is performed 
using the real-time verification tool Kronos. 



An example 
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Fig. 19. The PND corresponding to document Vi equals X* 2 - 




Fig. 20. The PND corresponding to document Vi overlaps X* 2 - 
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Description. We consider the following document specification: 

D =Di meets X >2 

T>i = A equals (5 parmax [C parmin _D)) 

X >2 = {E meets (F equals G)) parmaster (iJ starts O) 

where: 

— is a document composed of two “scenes”, that is, two sub-documents T>i 
and X> 2 . 

— T>i is the introduction, composed of four media objects, namely, a video clip 
A, a sound clip B, a piece of music G and a user button D. The intention is 
that the video A is played in parallel with its sound B, while at the same time 
music is heard in the background. The user can stop the music by pressing 
the button. 

— T >2 is the body of the document, composed of hve media objects, namely, 
a still picture E followed by a video clip F and its sound clip G, which 
determine the presentation of an animation H and a diagram O. 

— The duration intervals of the objects are as follows: 

A : [15, 17] B : [14, 16] G : [9, 11] D : [10, 13] 

G:[5,7] T:[3,6] G : [4, 7] 77 : [6, 12] O:[ll,oo) 

— D' starts D" is a macro-notation for (D' meetsi?) equals D" , where B 
is a “dummy” media object of null content having an arbitrary duration in 
(0,oo). 

Modeling. The specihcation V is modeled as the PND shown in hgure 21. For 
clarity reasons, we have reduced the number of clocks in this example to the least 
possible. Indeed, since A, B ,C , D start simultaneously, their respective clocks 
have the same value, thus, they can be replaced by the same clock, say, x. Clock 
X is re-used for E , 77, O, while clock y is associated to F, G. Finally, a clock z is 
associated to the dummy object used for starts. 

All transitions are delayable and their guards are as follows: 

= (* e Ia) a max((* e 7^), min((* e 7c), {x e Id))) 

52 = (* e Ie) 

53 = (* e Ih) 

54 = MASTER((5 C 7c a 5 C 7g), (z > 0 A * C Iq)) 

After replacing operators MIN, MAX, MASTER by their dehnitions and elimi- 
nating all existential quantihers, we obtain: 

51 = 15 < * < 16 

52 = 5 < * < 7 

53 = 6 < * < 12 

54 = 4 < 5 < 6 

Therefore, we see that clock z is not needed. 
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Fig. 21. Example multimedia specification translated into a PND. 



Consistency analysis. In order to verify the consistency of the specihcation, we 
translate the PND of hgure 21 to the TAD shown in hgure 22. Then, using 



FGHO 




Fig. 22. The TAD corresponding to the PND of figure 21. 



Kronos, we hnd that the hnal location End is indeed reachable, and we are 
given the following sample execution scenario, in form of a symbolic trail. The 
latter is made of a sequence of symbolic states, that is, pairs of a control location 
and a clock guard. Each symbolic state is followed by its time successor, which 
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is in turn followed by an action successor. 

(0, * = 0 and t/ = 0 ) 

(0, 15 < * and * < 16 and x = y) 

15 < * and * < 16 => end_ABCD; reset{*}; goto 1 
(1, * = 0 and 15 < j/ and J/ < 16 ) 

(1, 5 < * and x < 7 and x + lb < y and x < y + 16 ) 

5 < X and * < 7 => end_E; resetjj/}; goto 2 
(2, 5 < * and x <7 and t/ = 0 ) 

(2, 6 < X and * < 12 and y <6 and x < y -\- 7 and y -\- 7> < x ) 

6 < X and * < 12 end_H; reset{}; goto 4 

(4, 6 < X and * < 12 and y < 6 and x < y + 7 and y + 6 < x ) 

(4, 4 < t/ and y < 6 and x < y + 7 and y + 6 < x ) 

4 < t/ and t/ < 6 => end_FG0; reset{}; goto 5 
(5, 4 < t/ and y < 6 and x < y + 7 and y + 6 < x ) 

(5, 4 < t/ and x < y + 7 and y + 6 < x ) 

5 Conclusions 

The paper proposes a methodological framework for modeling urgency in timed 
systems. Urgency is an essential feature of timed systems and is related to their 
capability of waiting before executing actions. Compared to untimed systems 
where waiting is asynchronous (indehnite waiting of a process is usually allowed) , 
waiting times are the same in all components of a timed system. Incompatibility 
of time progress requirements for the processes of a system may lead to incon- 
sistency in specihcations. 

The main thesis of the paper is that many different ways of composing time 
progress conditions are useful in practice. Furthermore, time progress condition 
description should not be dissociated from action description. This leads to the 
dehnition of TAD which are timed automata composed of timed transitions, 
transitions specihed in terms of two related conditions expressing respectively, 
possibility and forcing of execution by stopping time progress. The TAD are a 
subclass of timed automata that satisfy the time reactivity condition meaning 
that from any state as long as there are no actions enabled, time can progress. 

The proposed methodology is based on the idea that complex timed systems 
can be obtained as the composition of elementary ones (timed transitions) by 
means of choice and synchronization operations. The latter allow to dehne the 
guard and the deadline of a synchronization action in terms of the guards and 
deadlines of the synchronizing actions. Apart from AND-synchronization that 
corresponds to the commonly used conjunctive synchronization, other synchro- 
nization modes are shown to be of practical interest as they have been introduced 
in timed models such as the timed extensions of Petri nets. These synchroniza- 
tion modes can be expressed in terms of AND-synchronization if auxiliary states 
(and transitions) are added to represent information encoded by modalities in 
the expression of synchronization guards. However, this may lead to complex 
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constructions and make specifications less legible. Thus, the different synchro- 
nization modes are at least an interesting macro-notation, especially for systems 
with loosely coupled components where coordination is realized by mechanisms 
seeking consensus and flexibility e.g., protocols. In fact, the modal formulas in 
synchronization guards can be considered as the abstract specihcations of a pro- 
tocol used to implement the described coordination. 

The paper contributes to clarifying the notion of urgency and proposes the 
mechanisms that are necessary for a “natural” specihcation of timed systems. 
It shows amongst others, that for general timed systems specihcation a rich 
methodological framework is necessary that includes new concepts and con- 
structs that are not applicable to untimed systems. In fact, compositional de- 
scription of untimed specihcations can be extended in many different manners 
to timed specihcations, as shown by several examples. It is remarkable that the 
composition mechanisms dehned initially for timed automata or process alge- 
bras are obtained by lifting directly the corresponding mechanisms for untimed 
systems (conjunction of guards and time progress conditions for synchroniza- 
tion) This contrasts with ad hoc hexible synchronization mechanisms added to 
Petri nets or to logical specihcation languages. We believe that our results al- 
low to compare and better understand the relations between the existing timed 
formalisms and can be a basis of a framework for compositional specihcation of 
timed systems. 
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Abstract. We introduce a mathematical model of components that can 
be used for the description of both hardware and software units forming 
distributed interactive systems. As part of a distributed system a 
component interacts with its environment by exchanging messages in a 
time frame. The interaction is performed by accepting input and by 
producing output messages on named channels. We describe forms of 
composition and three forms of refinement, namely property refinement, 
glass box refinement, and interaction refinement. Finally, we prove the 
compositionality of the mathematical model with respect to the 
introduced refinement relations. 



1. Introduction 

For a discipline of system development firmly based on a scientific theory we need a 
clear notion of components and ways to manipulate and to compose them. In this 
paper, we introduce a mathematical model of a component with the following 
characteristics: 

• A component is interactive. 

• It is connected with its environments by named and typed channels. 

• It receives input messages from its environment on its input channels and 
generates output messages to its environment on its output channels. 

• A component can be nondeterministic . This means that for a given input history 
there may exist several output histories that the component may produce. 

• The interaction between the component and its environment takes place in a 
global time frame. 

Throughout this paper we work with discrete time. Discrete time is a sufficient model 
for most of the typical applications. For an extension of our model to continuous 
time see [ 16 ]. 

Based on the ideas of an interactive component we can define forms of 
composition. We basically introduce only one form of composition, namely parallel 
composition with feedback. This form of composition allows us to model concurrent 
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execution and interaction. We will show that other forms of composition can be 
introduced as special cases of parallel composition with feedback. 

For the systematic stepwise development of components we introduce the concept 
of refinement. By refinement we can develop a given component in a stepwise 
manner. We study three refinement relations namely property refinement, glass box 
refinement, and interaction refinement. We claim that these notions of refinement ate 
all what we need for a systematic top down system development. 

Finally, we prove that our approach is compositional. This means that a 
refinement step for a composed system is obtained by refinement steps for its 
components. As a consequence, global reasoning can be structured into local 
reasoning on the components. Compositionality relates to modularity in systems 
engineering. 

The new contribution of this paper the relational version of the stream processing 
approach as developed at the Technische UniversitS Mihchen (under the keyword 
Focus, see [11], [12]). Moreover, the paper aims at a survey over this approach. 

We begin with the informal introduction of the concept of interactive 
components. This concept is based on communication histories called streams that 
are introduced in section 3. Then a mathematical notion of a component is introduced 
in section 4 and illustrated by simple examples. Section 5 treats operators for 
composing components to distributed systems. In section 6 we introduce three 
notions of refinements to develop systems and show the compositionality of these 
notions. All concepts are illustrated by simple examples. 



2. Central Notion: Component 

We introduce the mathematical notion of a component and on this basis a concept of 
component specification. A component specification is given by a description of the 
syntactic interface and a logical formula that relates input and output histories. 

The notion of component is essential in systems engineering and software 
engineering. Especially in software engineering a lot of work is devoted to the 
concept of software architecture and to the idea of componentware. Componentware is 
a catchword in software engineering (see [15]) for a development method where 
software systems are composed from given components such that main parts of the 
systems do not have to be reprogrammed every time again but can be obtained by a 
new configuration of existing software solutions. A key for this approach are well 
designed software architectures. Software architectures mainly can be described as 
specifically structured systems, composed of components. In both cases a clean and 
clear concept of a component is needed. 

In software engineering literature the following informal definition of a 
component is found: 



A component is a physical encapsulation of related services according to a published 

specification. 



According to this definition we work with the idea of a component which encapsulates 
a local state or a distributed architecture. We provide a logical way to write a 
specification of component services. We will relate these notions to glass box views, 
to the derived black box views, and to component specifications. 
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A powerful semantic concept of a component interface is an essential ingredient 
for the following key issues in system development: 

• modular program construction, 

• software architecture, 

• systems engineering. 



In the following we introduce a mathematical concept of a component. We show how 
basic notions of development such as specification and refinement can be based on this 
concept. 



3. Streams 

A stream is a finite or infinite sequence of messages or of actions. Streams are used to 
represent communication histories or histories of activities. Let M be a given set of 
messages. 



A stream over the set M is a finite or an infinite an sequence of elements from M. 



We use the following notation: 

M* denotes the finite sequences over M with the empty sequence <>, 

M denotes the infinite sequences over M. 

Throughout this paper we do not work with the simple concept of a stream as 
introduced so far but find it more appropriate to work with so called timed streams. A 
timed stream represents an infinite history of communications over a channel or of 
activities that are carried out in a discrete time frame. The discrete time frame 
represents time as an infinite chain of time intervals of equal length. In each time 
interval a finite number of messages can be communicated or a finite number of 
actions can be executed. Therefore we model a history of a system model with such a 
discrete time frame by an infinite sequence of finite sequences of messages or actions. 
By 



M =def(M*) 

we denote the set of timed streams. The k-th sequence in a timed stream represents the 
sequence of messages exchanged on the channel in the k-th time interval. 



A timed stream over M is an infinite sequence of finite sequences of elements from M. 



In general, in a system several communication streams occur. Therefore we work with 
channels to identify the individual communication streams. Hence, in our approach, a 
channel is nothing than an identifier in a system that is related to a stream in every 
execution of the system. 









Compositional Refinement of Interactive Systems Modelled by Relations 



133 



Throughout this paper we work with some simple forms of notation for streams 
that are listed in the following. We use the following notation for timed streams x: 

z"x concatenation of a sequence z to a stream x, 

X i sequence of the first i sequences in the stream x, 

S X stream obtained from x by deleting all messages that are not elements of the 
set S, 

X finite or infinite stream that is the result of concatenating all sequences in x. 

We can also consider timed streams of states to model the traces of state-based system 
models. In the following, we restrict ourselves to message passing systems, however. 



4. Syntactic and Semantic Interfaces of Components 

In this section we introduce a mathematical notion of components. We work with 
typed channels. Let a set S of sorts or types be given. By 

C 

we denote the set of typed channels. We assume that we have given a type assignment 
for the channels: 



type: C S 

Given a set C of typed channels we now can introduce what we call a channel 
valuation (let M be the set of all messages, by (s) we denote for a type its set of 
elements): 

C = {x: C M : c C: x.c (type(c)) } 

A channel valuation x C associates a stream of elements of type type(c) with each 
channel c C. 

Given a set of typed input channels I and a set of typed output channels O we 
introduce the notion of a syntactic interface of a component: 

(I, O) syntactic interface, 

I set of typed input channels and, 

O set of typed output channels. 

In addition to the syntactic interface we need a concept for describing the behaviour of 
a component. We work with a very simple and straightforward notion of a behaviour. 
A behaviour is a relation between input histories and output histories. Input histories 
are represented by valuations of the input channels and output histories are represented 
by the valuations of output channels. To express that a component maps input onto 
output we do not describe a component by a relation but by a set valued function. 
Therefore we represent the semantic interface of a component F as follows: 
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F: ( ) 

Given x , by F.x we denote the set of all output histories a component with 
behaviour F may produce on the input x. 

Of course, a set valued function, as well known, is isomorphic to a relational 
definition. We call the function F an I/O-function. 

Using logical means, such a function can be described by a formula relating input 
channels with output channels. Syntactically therefore such a formula uses channels as 
identifiers for streams. 



i ' J 

F 

Fig 1 Graphical Representation of a Component F with Input Channels 1 and Output 

Channels O 

A specification of a component defines: 

• its syntactic interface, 

• its behaviour by a specifying formula relating input and output channel 
valuations. 

This way we obtain a specification technique that gives us a very powerful way to 
describe components. 

Example. As examples of components we specify a merge component MRG and a 
fork component FRK as follows: 

MRG 

in x: Tl, y: T2, 

out z: T3, 

x = Tl z 

y =T2 z 



Flere let Tl, T2, T3 be types (in our case we can see types simply as sets) where Tl 
and T2 are assumed to be disjoint and T3 is the union of Tl and T2. 

FRK 

in z: T3, 

out x" : Tl, y ' : T2, 

x ' = Tl z 
y'=T2 z 



Note that the merge component as specified here is fair. Every input is finally 
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processed. 



We use the following notation for a component F to refer to the constituents of its 
syntactic interface: 

In(F) the set of input channels I, 

Out(F) the set of output channels O. 

I/O-functions can be classified by the following notions. These notions can be either 
added as properties to specifications explicitly or proved for certain specifications. 

An I/O-function F: ( O) is called 

• properly timed, if for all time points i N we have 

X i = z i F(x) i = F(z) i 

• time guarded (or causal), if for all time points i N we have 

X i = z i F(x) i+1 = F(z) i+1 



• partial, if F(x) = for some x I . 

• rea/waWe, if for a time guarded function f: I O, for all x: f.x F.x. 

• fully realisable, if for all x: F.x = {f.x: f [F] } 

Flere [Fj denotes the set of time guarded functions f: I O, where f.x F.x 
for all X. 

• time independent (see [9]), if x = z F.x = F.z 

It is easy to show that both MRG and FRK are time independent. If we add time 
guardedness as a requirement then both are fully realisable. 

We do not require that an I/O-function described by a specification has all the 
properties introduced above. We are much more liberal. We may add such properties 
to specifications freely whenever appropriate and therefore deal with all kinds of 
specifications of I/O-functions that do not have these properties. 

A special case of I/O-functions are partial functions which are functions that for 
certain input histories may have an empty set of output histories. An extreme case is 
a function that maps every input history onto an empty set. Such functions are not 
very interesting when used for modelling the requirements for the implementation, 
since an implementation shows at least one output for each input. However, partial 
functions may be interesting as intermediate steps in the specification process, since 
based on these functions we can construct other functions that are more interesting for 
composition and implementation. 
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5. Composition Operators 



In this section we introduce a notion of composition for components. We prefer to 
introduce a very general form and later define a number of special cases for it. 




Fig 2 Parallel Composition with Feedback 

Given two disjoint sets of channels Ci and C2 we define a join operation for the 
valuations x C 1, y C 2 by the following equations: 

(x y).c = x.c if c Cl and 

(x y).c = y.c if c C2 

Given I/O-functions with disjoint sets of input channels (where Oi 02=) 

Fi:Ii (6,), F2 :l 2 (62) 

we define the parallel composition with feedback by the I/O-function 
F, F2: I (O) 

where I = (Ij l2)\(0i O2), O = (Oj 02)\(Ii 12)- The resulting function is 

specified by the equation (here y C where C = Ii I2 Oi O2): 

(F, F2 ).x = {ylO: yll = xll ylO, F,(yll,) yl02 F2(yll2) } 

By xlC we denote the restriction of the valuation x to the channels in C. 

For this form of composition we can prove the following facts by rather simple 
straighforward proofs: 

(1) if the Fj are time guarded for i = 1, 2, so is Fi F2, 

(2) if the Fj are realisable for i = 1, 2, so is Fi F2, 

(3) if the Fi artfully realisable for i = 1, 2, so is Fi F2, 

(4) if the Fj are time independent for i = 1, 2, so is Fi F2. 

If the Fj are total and properly timed for i = 1, 2, we cannot conclude that Fj F2 is 
total. This shows that the composition works only in a modular way for well-chosen 
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subclasses of specifications. 

Further forms of composition that can he defined (we do not give formal 
definitions for them, since these are quite straightforward): 

• feedback without hiding: F 

let F: I (6), then we define: F: J (6) where J = I\0 hy the 

equation (here we assume y C where C = I O): 

( F).x= {ylO: yll = xll ylO F(yll)} 

• parallel composition: Fi II F2 

if (Ii I2) (Oi O2) = we have Fj II F2 = Fj F2 

• logical connectors: Fi F2 

• hiding: F\{c} 

• renaming of channels: F[c/c' ] 

Given a component specification S we define hy S[c/c'] the renaming of the channel c 
in S to c' . Finally, we also can work with input and output operations on 
components: 

• input transition: F < c:m 

• output transition: c:m < F 

For a careful treatment of the last three operators see [14]. All the forms of 
compositions can be defined formally for our concept of components and in principle 
reduced to parallel composition with feedback. 




Fig 3 Sequential Composition as a Special Case of Composition 
Sequential composition of the components Fi and F2 is denoted by 
F, ;p2 

In the special case where Oi = I2 = (Oi O2) (Ii I2) we can reduce sequential 
composition to parallel composition with feedback along the lines illustrated in Fig. 3 
as follows: 
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F, ; F, = F, F, 

A simple example of sequential composition (where Oi = I 2 ) is the composed 
component MRG;FRK as well as FRK[x/x% y/y];MRG. 



6. Refinement - the Basic Concept for System Development 

Refinement relations (see [13]) are the key to formalize development steps (see [8]) 
and the development process. We work with the following basic ideas of refinement: 

• property refinement - enhancing requirements - allows us to add properties to a 
specification, 

• glass box refinement - designing implementations - allows us to decompose a 
component into a distributed system or to give a state transition description for a 
component specification, 

• interaction refinement - relating levels of abstraction - allows us to change the 
granularity of the interaction, the number and types of the channels of a 
component (see [10]). 

We claim that these notions of refinement are sufficient to describe all the steps needed 
in the idealistic view of a strict top down hierarchical system development. The three 
refinement concepts mentioned above are explained in detail in the following. 



6.1 Property refinement 

Property refinement allows us to replace an I/O-function by one with additional 
properties. A behaviour 

F: I (O) 

is refined by a behaviour 

F: i (O) 



if 



F F 

This stands for the proposition 
X I : F (x) F(x). 

A property refinement is a basic refinement step as it is needed in requirements 
engineering. In the process of requirement engineering, typically the overall services 
of a system are specified. This, in general, is done by requiring more and more 
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sophisticated properties for components until a desired behaviour is specified. 

Example. A specification of a component that transmits its input on its two input 
channels to its output channels (but does not necessarily observe the order) is specified 
as follows. 

TM 

in x: Tl, y: T2, 

out x' : Tl, y' : T2, 

m Tl: {m} x' ={m} x 

m T2: {m} y' ={m} y 



We want to relate this specification to the simple specification of the time independent 
identity Til that reads as follows: 

jn 

in x: Tl, y: T2, 

out x' : Tl, y' : T2, 

X ' = X y'=y 



Given these two specifications we immediately obtain that Til is a property 
refinement of TM. 

Til TIM 

This relation is straightforward to prove (see below). 



The verification conditions for property refinement are obtained as follows. For given 
specifications Si and S 2 with specifying formulas Ei and Ej, the specifications S 2 is a 
property refinement of Si if the syntactic interfaces of Si and S 2 coincide and if for the 
formulas Ei and E 2 we have 

El E2 

In our example the verification condition is easily obtained and reads as follows: 



( m 


Tl: {m} 


x' ={m} 


x) x' = x 


( m 


T2: {m} 


y' ={m} 


II 



The proof of this condition is trivial. 

Property refinement can also be used to relate composed components to given 
components. For instance, we obtain the refinement relation. 

(MRG ; FRK) TII 

Again the proof is quite straightforward. 

Property refinement is used in requirements engineering. It is also used in the 
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design process where decisions are taken that introduce further properties for the 
components. 



6.2 Compositionality of Property Refinement 

In our case, the compositionality of property refinement is simple. This is a 
consequence of the simple definition of composition. The rule of compositional 
property refinement reads as follows: 

Fi F, F, F, 

Fi F^ F, 

The proof of the soundness of this rule is straightforward by the monotonicity of the 
operarator with respect to set inclusion. 

Example. For our example the application of the rule of compositionality reads as 
follows. Suppose we use a specific component MRGl for merging two streams. It is 
defined by 

MRGl 

in x: Tl, y: T2, 

out z: T3, 

z = «»T(x, y) 

where 

f(<s>'x, <t>"y) = <sT>T(x, y) 



Note that this merge component MRGl is deterministic and time dependent. 
According to our rule of compositionality and transitivity of refinement, it is 
sufficient to prove 

MRGl MRG 



to conclude 



MRG1;FRK MRG;FRK 
and by transitivity of the refinement relation 
MRG1;FRK TII 

This shows how local refinement steps and their proofs are schematically extended to 
global proofs. 



The usage of the composition operator and the relation of property refinement leads to 
a design calculus for requirements engineering. It includes steps of decomposition and 
implementation that are treated more systematically in the following section. 




Compositional Refinement of Interactive Systems Modelled by Relations 



141 



6.3 Glass Box Refinement 

Glass Box Refinement is a classical concept of refinement that we need and use in the 
design phase. In the design phase we typically decompose a system with a specified 
black box behaviour into a distributed system architecture or we represent this 
behaviour by a state transition machine. By this decomposition we are fixing the basic 
components of a system. 

These components have to be specified and we have to prove that their 
composition leads to a system with the required functionality. In other words, a glass 
box refinement is a special case of a property refinement of the form 

F[ Fj ... F„ F design of an architecture 



or of the form 



B ( o) F implementation by a state machine 

where the FO-function B ( q) is defined by a state machine (see [19]) and q is its 
initial state. In the case of the design of an architecture, its components Fi,..., F„ can 
be hierarchically decomposed into a distributed architecture again, until a granularity of 
components is obtained which should not be further decomposed into a distributed 
system but realised by a state machine. 

As explained, in a glass box refinement we replace a component by a design 
which is given by 

• a network of components Fj F 2 ... F„ or 

• a state machine B ( 0 ) - let be a set of states with an initial state 0 ^ state 

transition function 

: ( (I M*)) ( (O M*)) 

which describes a function 

B : (I (6)) 

where we define for each , z (I M*), x I we specify B by the 

equation 

B( ).(<zrx)= {4>y: ' : ( % t) ( , z) y B( ').x} 

In our approach iterated glass box refinement leads to a hierarchical, top down 
refinement method. 

It is not in the centre of our paper to describe in detail the design steps leading to 
distributed systems or to a state machine. Instead, we take a very puristic point of 
view. Since we have introduced a notion of composition we consider a system 
architecture as given by a term defining a system by composing a number of 
components. A state machine is given by a number of transition equations that define 
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the transitions of the machine. 

Accordingly, a glass box refinement is a special case of property refinement where 
the refinement component has a special syntactic form. In the case of a glass box 
refinement that transforms a component into a network, this form is a term composed 
of a number of components. 

Example. A very simple instance of such a glass box refinement is already shown 
by the proposition 

MRG FRK TII 

It allows us to replace the component TII by two components. 



Hence, a glass box refinement works with the relation of property refinement and 
special terms representing the refined component. 

Example. We describe a refinement of the specification TII by a state machine 
:( ({x,y} T3*)) ( ({x^ yl T3*)) 

where the state space is given by the equation 
= Tl* T2* 

and the state transition relation is specified by 
((Tl, T2), g) = {((g(x), g(y)), h)} 
where h is specified by 

h(x') = Tl and h(y') = T2 

This defines a most trivial state machine implementing TII by buffering its input 
always exactly one time unit. We obtain a glass box refinement formalised as follows 

F ((<>, <>)) TII 

In this case TII is refined into a state machine. 



Of course we may also introduce a refinement concept for state machines explicitly in 
terms of relations between states leading to simulations or bisimulations (see [1], [2], 
[5], [6], and also [3]). We do not do this here explicitly. We call a relation between 
state machines with initial states and " and transition function and " a 
refinement if 

F .( ') F( ) 

The compositionality of glass box refinement is a straightforward consequence of the 
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compositionality of property refinement. 



6.4 Interaction Refinement 

Interaction refinement is the refinement notion that we need for modelling 
development steps between levels of abstraction. Interaction refinement allows us to 
change 

• the number and names of input and output channels, 

• the granularity of the messages on the channels 

of a component. 

An interaction refinement requires two functions 
A: C' (C) R: C (C') 

that relate the abstract with the concrete level of a development step from one level of 
abstraction to the next. Given an abstract history x C each y R(x) denotes a 
concrete history representing x. Calculating a representation for a given abstract 
history and then its abstraction yields the old abstract history again. This is expressed 
by the requirement: 



R ; A = Id 



Let Id denote the identity relation. A is called the abstraction and R is called the 
representation. R and A are called a refinement pair. For untimed components it is 
sufficient to require for the time independent identity Til (as a generalisation of the 
specification TII) 

R ; A TII 

Choosing the component MRG for R and FRK for A immediately gives a refinement 
pair for untimed components. 



abstract level 



^ ► 



R 



A 

f W 



concrete level 



Fig 4 Communication History Refinement 
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Interaction refinement allows us to refine components, given appropriate refinement 
pairs for the input and output channels. The idea of a interaction refinement is 
visualised in Fig 5. 






I2 




abstract level 



concrete level 



Fig 5 Interface Interaction Refinement (U- simulation) 
Given interaction refinements 

: I2 (Ii) R.: Ii (I2) 

: O 2 (O,) Ro: O, (O^) 

for the input and output channels we call the I/O-function 

F: I2 (62) 

an interaction refinement of 

F: I, (Oi) 

if one of the following proposition holds: 



F A, ; F ; Ro 


U‘ -simulation 


Ri ; F F ; Ro 


Downward Simulation 


F;Ao A,;F 


Upward Simulation 


Ri ; F ; Ao F 


U-simulation 



These are different versions of useful relations between levels of abstractions. A more 
detailed discussion is found in [13]. 

Example. Looking at the time independent identity for messages of type T3 we 
obtain the component specification as follows: 

TII3 

in z: T3, 
out z ' : T3, 
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We obtain 

MRG ; TIB ; FRK[z 7 z] TII 

as a most simple example of interaction refinement by U-simulation. The proof is 
again straightforward. 



6.5 Compositionality of U'‘-simulation 

We concentrate on U*-simulation in the following and give the proof of 
compositionality only for that case. To keep the proof simple we do not give the 
proof for parallel composition with feedback but give the proof in two steps, first 
defining the compositionality for parallel composition without any interaction which 
is a simple straightforward exercise and then give a simplified proof for feedback. 

For parallel composition without feedback the rule of compositional refinement 
reads as follows: 



Fi a} ; F[ ; Rq F2 Aj ; F2 ; Rg 

Fill F2 (A} II A?);(FiIIF 2 );(R^ II R^) 

where we require the following syntactic conditions: 

Oi O2 = and Ii I2 = 

and analogous conditions for the channels of Fi and F2- These conditions make sure 
that there are no name clashes. 

The proof of the soundness of this rule is straightforward since it only deals with 
parallel composition without interaction. 

Example. If we replace in a property refinement the component TIB by a new 
component TIB ' (for instance along the lines of the property refinement of TII into 
MRG;FRK) we get by the compositionality of property refinement 

MRG ; TIB ' ; FRK[z' /z] TII 

from the fact that TIB is an interaction refinement of TII. 

It remains to show compositionality of feedback. The general case reads as follows: 

F (Ai II A) ; F ; (Rp II R) 

F A.; F;Ro 

where we require the syntactic conditions 



In(A) = In(F) 



Out(F), 
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In(R) = In(F) Out(F), 

For independent parallel composition the soundness proof of the compositional 
refinement rule is straightforward. We give only the proof of the feedback operator 
and only for the special case where the channels coming from the environment and 
leading to the environment are empty. This proof easily generalises without any 
difficulties to the general case. For simplicity, we consider the special case where 

In(F) = Out(F) 

In this special case the compositional refinement rule reads as follows: 

F A ; F ; R 
F A ; F ; R 

The proof of the soundness of this rule is shown as follows. Here we use the classical 
relational notation: 



xFy 



that stands for y F(x). 

Proof. Soundness for the Rule of U '-Simulation 



If we have: 
then 

and by the hypothesis: 
then by: 
we obtain: 
and thus: 
and finally 



z F 
z F z 

X, y: zAx xFy yR z 
xRz zAy X = y 

X, y: z Ax xFy yR z x = y 
x: zAx xFx xRz 
z A; F ; R 



The simplicity of the proof of our result comes from the fact that we have chosen 
such a straightforward model of component. In our model, in particular, input and 
output histories are represented explicitly. This allows us to apply classical ideas (see 
[17], [18]) of data refinement to communication histories. Roughly speaking: 
communication histories are nothing than data structures that can be manipulated and 
refined like other data structures. 

Example. To demonstrate interaction refinement let us consider the specification of 
two delay components. 

D3 

in c, z: T3, 

out c' ,z' : T3, 

c' = <oTz 
z' = <oTc 
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D 

in X, c: Tl, y, d: T2, 

out x" , c" : Tl, y" , d' :T2, 

c' = «»\, x' = 

d" = «»'y, y' = «»"d 

We have 

MRG MRG[c/x, d/y, c/z] ; D3 ; FRK FRK[c7x, d7y, D 
and in addition 

D3[c/cT TIB, D[c/c',d/dl TII 

and so finally we obtain 

MRG; D3[c/c'];FRK D[c/c7 d/d] TII 
which is an instance of the compositionality rule for interaction refinement. 

Our refinement calculus leads to a logical calculus for "programming in the large" 
where we can argue about software architectures. 



7. Conclusions 

What we have presented in the previous chapters is a comprehensive method for a 
system and software development which supports all steps of a hierarchical stepwise 
refinement development method. It is compositional and therefore supports all the 
modularity requirements that are generally needed. 

What we have presented is a method that provides, in particular, the following 
ingredients: 

• a proper notion of a syntactic and semantic interface of a component, 

• a formal specification notation and method, 

• a proper notion of composition, 

• a proper notion of refinement and development, 

• a compositional development method, 

• a flexible concept of software architecture, 

• concepts of time and the refinement of time (see [16]). 

What we did not mention throughout the paper are concepts that are also available and 
helpful from a more practical point of view including 

• combination with tables and diagrams, 

• tool support in the form of AutoFocus (see [4]). 

The simplicity of our results is a direct consequence of the specific choice of our 
semantic model. The introduction of time makes the model robust and expressive. The 
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fact that communication histories are explicit allows us to avoid all kinds of 
complications like prophecies or stuttering and leads to an abstract relational view of 
systems. 

Of course, what we have presented is just the scientific kernel of the method. More 
pragmatic ways to describe specifications are needed. These more pragmatic 
specifications can be found in the work done in the SysLab-Project (see [7]) at the 
Technical University of Munich. For extensive explanations of the use of state 
transition diagrams, data flow diagrams and message sequence charts as well as several 
versions of data structure diagrams we refer to this work. 
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Toward Parametric Verification of Open 
Distributed Systems* 
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Abstract. A logic and proof system is introduced for specifying and 
proving properties of open distributed systems. Key problems that are 
addressed include the verihcation of process networks with a changing 
interconnection structure, and where new processes can be continuously 
spawned. To demonstrate the results in a realistic setting we consider 
a core fragment of the Erlang programming language. Roughly this 
amounts to a hrst-order actor language with data types, buffered asyn- 
chronous communication, and dynamic process spawning. Our aim is to 
verify quite general properties of programs in this fragment. The specih- 
cation logic extends the hrst-order /t-calculus with Erlang-specihc prim- 
itives. Eor verihcation we use an approach which combines local model 
checking with facilities for compositional verihcation. We give a specih- 
cation and verihcation example based on a billing agent which controls 
and charges for user access to a given resource. 



1 Introduction 

A central feature of open distributed systems as opposed to concurrent systems 
in general is their reliance on modularity. Open distributed systems must accom- 
modate addition of new components, modification of interconnection structure, 
and replacement of existing components without affecting overall system be- 
haviour adversely. To this effect it is important that component interfaces are 
clearly dehned, and that systems can be dynamically put together relying only 
on component behaviour along these interfaces. That is, behaviour specihcation 
of open distributed systems, and hence also their verihcation, cannot be based 
on a hxed systems structure but needs to be parametric on the behaviour of com- 
ponents. Almost all prevailing approaches to verihcation of such systems rely on 
an assumption that process networks are static, or can safely be approximated 
as such, as this assumption opens up for the possibility of bounding the space of 
global system states. Clearly such assumptions square poorly with the dynamic 
and parametric nature of open distributed systems. 
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Core Erlang Our aim in this paper is to demonstrate an approach to system 
specihcation and verihcation that has the potentiality of addressing open dis- 
tributed systems in general. We study the issue in terms of a core fragment of 
Ericsson’s Erlang programming language [AVWW96] which we call Core Erlang. 
Core Erlang is essentially a hrst-order actor language (cf. [AMST97]). The lan- 
guage has primitives for local computation: data types, hrst-order abstraction 
and pattern matching, and sequential composition. In addition to this Core Er- 
lang has a collection of primitives for component (process) coordination: sending 
and receiving values between named components by means of ordered message 
queues, and for dynamically creating new components. 

Specification Language We use a temporal logic based on a hrst-order exten- 
sion of the modal //-calculus for the specihcation of component behaviour. In 
this logic it is possible to describe a wide range of important system properties, 
ranging from type-like assertions to complex interdependent safety and liveness 
properties. The development of this logic is actually fairly uncontroversial: To 
adequately describe component behaviour it is certainly needed to express po- 
tentialities of actions across interfaces and the necessary and contingent effects of 
these actions, to express properties of data types and properties of components 
depending on values, to access component names, and to express properties of 
messages in transit. 

Challenges The real challenge is to develop techniques that allow such temporal 
properties to be verihed in a parametric fashion in face of the following basic 
difficulties: 

1. Components can dynamically create other components. 

2. Component names can be bound dynamically, thus dynamically changing 
component interconnection structure (similar to the case of the 7r-calculus 
[MPW92]). 

3. Components are connected through unbounded message queues. 

4. Through use of non-tail recursion components can give rise to local state 
spaces of unbounded size. 

5. Basic data types such as natural numbers and lists are also unbounded. 

We would expect some sort of uniformity in the answers to these difficulties. 
Eor instance, techniques for handling dynamic process creation are likely to 
be adaptable to non-tail recursive constructions quite generally, and similarly 
message queues is just another unbounded data type. 

Approach In [Dam98] an answer to the question of dynamic process creation 
was suggested, cast in terms of CCS. Instead of closed correctness assertions of 
the shape s : (f (s is a system, <f) its specification) which are the typical objects 
of state exploration based techniques, the paper considered more general open 
correctness assertions of the shape E \~ s : (f where E expresses assumptions 
S : ip OIL components S of s. Thus the behaviour of s is specified parametrically 
upon the behaviour of its component S. To address verification, a sound and 
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weakly complete proof system was presented, consisting of proof rules to reduce 
complex proof goals to (hopefully) simpler ones, including a process cut rule by 
which properties of composite processes can be proved in terms of properties of 
its constituent parts. The key, however, is a loop detection mechanism, namely 
a rule of discharge, that can under certain circumstances be applied to discharge 
proof goals that are instances of proof goals that have already been encountered 
during proof construction. The combination of the rule of discharge with the 
process cut rule provides the power required to deal successfully with features 
such as dynamic process creation. 

Our contribution in the present paper is to show how the approach of [Dam98] 
can be extended to address the difhculties enumerated above for a fragment of a 
real programming language, and to show the utility of our approach on a concrete 
example exhibiting some of those difhculties. In particular we have resolved a 
number of shortcomings of [Dam98] with respect to the rule of discharge. 

Example We use a running example based on the following scenario: A user wants 
to access a resource paying for this using a given account. She therefore issues a 
request to a resource manager which responds by dynamically creating a billing 
agent process to act as an intermediary between the user, the resource, and the 
user’s account. We view this scenario as quite typical of many security-critical 
mobile agent applications. 

The user is clearly taking a risk by exposing her account to the resource 
manager and the billing agent. One of these parties might violate the trust put 
in him eg. by charging for services not provided, or by passing information to 
third parties that should be kept conhdential. Equally the resource manager need 
to trust the billing agent (and to some minor extent the user). We show how the 
system can be represented in Core Erlang, how some critical properties can be 
expressed, and outline a proof of the desirable property of the billing agent that 
the number of transfers from the user account does not exceed the number of 
requests to use the resource. 

Organisation The paper is organised as follows. Section 2 introduces the frag- 
ment of Erlang treated in the paper and presents an operational semantics for 
the language. The following section focuses on the variant of the //-calculus used 
as the specihcation logic, providing examples as well as a formal semantics. 
Section 4 describes the local part of a proof system for verifying that an Er- 
lang system satisRes a specification formalised in the //-calculus, and contains 
proofs of soundness for some proof rules introduced in the section. The rule of 
discharge is motivated in terms of two simple examples in section 5, and it is 
formally stated and proved sound in section 6. In section 7 we put the proof 
system to work on the billing example, outlining parts of a correctness proof. 
Einally, the paper ends with a discussion in section 8 on directions for further 
work, and some concluding remarks. 
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2 Core Erlang 

We introduce a core fragment of the Erlang programming language with dynamic 
networks of processes operating on data types such as natural numbers, lists, 
tuples, or process identihers (pid’s), using asynchronous, hrst-order call-by- value 
communication via unbounded ordered message queues called mailboxes. Real 
Erlang has several additional features such as communication guards, exception 
handling, modules, distribution extensions, and a host of built-in functions. 

Processes A Core Erlang system consists of a number of processes computing in 
parallel. Each process is named by a unique process identiher pid of which we 
assume an inhnite supply. Pid’s are created along with the processes themselves. 
Associated with a process is an Erlang expression e, i.e. the expression being 
evaluated, and a mailbox, or input queue q, assumed to be of unbounded capacity. 
Messages are sent by addressing a data value to a receiving process, identihed 
through its pid. 

Definition 1 (Processes, System States). An Erlanq process is a triple 
[e,pid,q), where e is an Erlanq expression, pid is a process identifier, and q 
IS a messaqe queue. An Erlanq system state s is a set of processes such that 
(e, pid, q) , (e' , pid' , q''j G s and (e, pid, q) i^e' , pid' , q''j implies pid pid' . S is 
the set of system states. 

We normally write system states using the grammar: 

s ::= (e,pid,q) | s || s 
understanding || as set union. 

As the amount of different syntactical categories involved in the operational 
semantics and in the specihcation logic is quite large, the following notational 
convention is useful. 

Convention 2 . Corresponding small and capital letters are used to range over 
values, resp. variables over a given syntactical domain. 

Thus, as e.g. e is used to range over Erlang expressions, E is used to range 
over variables taking Erlang expressions as values. 

Erlanq Expressions Besides expressions we operate with the syntactical cat- 
egories of matches m, patterns p, and values v. The abstract syntax of Core 
Erlang expressions is summarised as follows: 

e ::= V | self | op(ei, ...,€„) | 

ei 62 I 61,62 I case 6 of m | spawn(6i,62) | 

receive m end | 6i!62 

m ::= Pi ep, ■ ■ ■ ;p„ ^ e„ 
p ::= op{pi,...,pn) I V 
V ::= op(vi, ..., v„) 
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Here op ranges over a set of primitive constants and operations including zero 0 , 
successor e + 1, tupling {ei, 62}, the empty list [], list prefix [ei|e2], pid constants 
ranged over by ptd, and atom constants ranged over by a, f , and g. In addition 
we need constants and operations for message queues: A queue is a sequence 
of values q = vi ■ V2 ■ ■ ■ ■ ■ v„ where e is the empty queue and qi ■ Q2 is queue 
concatenation, assumed to be associative. 

Atoms are used to name functions. We reserve / and g for this purpose. 
Expressions are interpreted relative to an environment of function dehnitions 
f(Vi, . . . , V„) e, syntactic sugar for / = {Vi, . . . , V„} e. Each function 
atom / is assumed to be dehned at most once in this environment. 

Intuitive Semantics The intuitive meaning of the Erlang operators, given in the 
context of a pid pid and a queue q, should be not too surprising: 

— self evaluates to the pid pid of the process. 

— op is a data type constructor: To evaluate op[ei , ..., e„), ei to e„ are evaluated 
in left-to-right order. 

— ei 62 is application: Eirst ei is evaluated to a function atom^ /, then 62 is 
evaluated to a value v, and Rnally the function definition of / is looked up 
and matched to v. 

— 6i, 62 is sequential composition: Eirst ci is evaluated (for its side-effect only), 
and then evaluation proceeds with 62 whose value is actually returned. 

— case 6 of m is evaluated by first evaluating e to a value v, then matching v 
using m. If several patterns in m match, the first one is chosen. Matching a 
pattern pi of m against v can cause unbound variables to become bound in 
ep^ . In a function definition all free variables are considered as unbound. 

— spawn(ei,62) is the language construct for creating new processes. Eirst e\ 
is evaluated to a function atom /, then 62 to a value v, a new pid pid' is 
generated, and a process ((/ v), pid' , e) with that pid and an initially empty 
queue is spawned evaluating / v. The value of the spawn expression itself is 
the pid pid' of the newly spawned process. 

— receive m end inspects the process mailbox q and retrieves (and removes) 
the first element in q that matches any pattern of m. Once such an element 
V has been found, evaluation proceeds analogously to case v of m. 

— 6i!e2 is sending: ci is evaluated to a pid pid' , then 62 to a value v, then v is 
sent to pid' , resulting in v as the value of the send expression. 

Example: Billing Agents In the introduction we gave a scenario for accessing 
private resources. As an example Core Erlang program, a function for managing 
such accesses (a resource manager) is shown below. Erlang variables are upper- 
case, while atoms are lower-case. Atoms are used to name functions (rm, lookup 
and billagent), but also as constant values for identifying the “type” of a partic- 
ular message {contract, contracEok , etc.), or for other synchronisation purposes 
{lookup_ok and lookup_nok). 

^ There is no construct for lambda-abstraction in Erlang. 

^ This is not quite the binding the convention of Erlang proper: There the hrst occur- 
rence of V in (case ei of E 62), V can bind the second. 
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rm{ResList , BankPtd , RAcc) 

receive 

{contract, {Pu, UAcc{, UserPid} 
case lookup{Pu, ResList)) of 
{lookup _ok , Pr{ 

UserPid\{contract_ok,s'pa.m(biUagent, (Pr, BankPid, RAcc, UAcc)){] 
lookup_nok 

UserPidlcontracPnok 

end 

end, 

rm(ResList, BankPid, RAcc). 

The resource manager rm accepts as arguments a resource list, the pid of 
a trusted bank agent, and a private account. The resource list uses pairs to 
implement a map from public to private resource “names” ; given a public name 
Pu, a function lookup{Pu, ResList) is used to extract the corresponding private 
name Pr. The resource manager, after receiving a contract offer (identifying 
the paying account UAcc), tries to obtain the private name of the requested 
resource, and if this succeeds, a billing agent is spawned to mediate between the 
user, the bank and the resource, and the name (i.e. pid) of the billing agent is 
made known to the user. Figure 1 shows the system conhguration before and 
after the creation of the billing agent. 

biUagent(ResPid , BankPid, RAcc, UAcc) 

receive 

{use, UserPid} 

Re.s\{acguire, self}, 
receive 

{acguire_ok. Value} 

BankPid\{trans, { UAcc, RAcc}, self), 
receive 

{trans_ok, {UAcc, RAcc}} ^ UserPid\{use_ok, Value}] 

{transjaok , { UAcc, RAcc}} UserPid\use_nok 

end; 

acguire_nok UserPid\use_nok 

end 

end, 

billagent(ResPid , BankPid, RAcc, UAcc). 

The billing agent coordinates access to the resource with withdrawals from 
the account. Upon receiving a request for the resource {use, UserPid}, it at- 
tempts to acquire the resource, and if this succeeds (resulting in a response 
Value being received from the resource), it attempts to transfer money from the 
user account to the resource manager account, and then sends the value to the 



user. 
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Matching The definition of the operational semantics requires an ancillary, en- 
tirely standard, dehnition to be made concerning pattern matching between a 
value V and a pattern p. A term environment is a partial function r of variables 
V to values v. The totally undehned term environment is []. The most general 
unifier, mgu(v, p, t), of v and p in term environment r is a term environment 
dehned as follows: 

mgu(v, V, t) = t\Y v] if V ^ dom(T) 

mgu(v, V,t) = T if V ^ dom(T) and t{V) = v 

mgu{op{vi, Vn), op{pi, ...,p„), r) 

= mgu(vi,pi,mgu(v2,P2, •••, mgu(v„,p„,T)...)) 

The equations should be understood as Kleene equations: One side of the equa- 
tion is dehned if and only if the other side is, and if they are dehned, the two 
sides are equal. It is not hard to show that the dehnition is independent of order 
of unihcation in the third clause of this dehnition. Term environments are lifted 
from functions on variables to functions on arbitrary terms in the usual way. 
r(e) is r applied to the term e. Now dehne the relation v matches p to hold just 
in case mgu(v,p, []) is dehned. If {Vi, are the free variables in p then v 

matches p can be expressed as the hrst-order formula 3Vi, . . . , V„ -P = v . 

Given a value v, a queue q = v\ ■ V 2 ■ ■ ■ ■ ■ Vm and a match m = p\ ^ 

ei ; • • • ; ^ e„, we dehne two matching operations to be used below: 

val-match(v, m) = mgu(v,pi,[])(ei) 

if V matches pi and Vj < i. not(v matches pj) 

queue-match(q, m) = mgu(vm,Pij[])(^i) 

if Vm matches Pi and Vj < m. Mk. not(vj matches pk) 
and 'ik < i. not(vm matches pk). 

Operational Semantics A reduction context r[-] is an Erlang expression with a 
“hole” in it. The reduction context dehnes the evaluation order of subexpressions 
in language constructs; here from left to right^. The result of placing e in (the 
hole of) a context r[-] is denoted r[e]. Contexts are dehned by the grammar: 

r[.] ::= • 

I op(vi, . . . , Vi_i,r[-],ei+i, . . . , e„) for all i : 1 < i < n 
I r[-],e 
I »*[•] e I / r[-] 

I case r[-] of m end 
I r[-]!e I pid\r[-] 

I spawn(r[-],e) I spawn(/, r[-]) 

^ An arbitrary simplification. The fnll Erlang langnage does not specify any evalnation 
ordering. 
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Definition 3 (Operational semantics). The operational semanties of Core 
Erlang is defined by table 1. 

The rules defining the operational semantics of Core Erlang are separated into 
three classes: the loeal rules concern classical, side-effect free, computation steps 
of an Erlang expression, the proeess rules define the actions of a single process 
(an Erlang expression with an associated pid and queue), and the system rules 
give the semantics of the parallel composition operator. In the rules “pid fresh” 
requires pid to be a new pid, and foreign(pid)(s) states that no process in the 
system state s has pid as its pid. 

3 The Property Specification Logic 

In this section we introduce a specification logic for Core Erlang. The logic is 
based on a first-order //-calculus, corresponding, roughly, to Park’s //-calculus 
[Par76], extended with Erlang-specific features. Thus the logic is based on the 
first-order language of equality, extended with modalities reflecting the transition 
capabilities of processes and process configurations, least and greatest fixpoints, 
along with a few additional primitives. 

Syntax Abstract formula syntax is determined by the following grammar where 
Z ranges over predicate variables parametrised by value vectors. 

(f) ::= p = p\ pzfzp \ term(/>) = p \ queue(p) = p \ 

local(p) I foreign(p) | atom(/>) | unevaluated(p) | 
f A f \ f V f \ 'iV.f I BV.f I 
of I <plp>f I <p\p>f I []<() I \p^p\f I [p'p]f I 
Z{pi,- ■■,Pn) I 

ipZ{Vi,. . .,V„).(t))(pi, . ..,Pn) I {l^Z{Vi, . ..,Vn)4){pi, ■ ■■,Pn) 

It is important to note that patterns p and value variables V in the case of 
formulas range not only over Erlang values, but also over message queues. 

Intuitive Semanties The intuitive meaning of formulas is given as follows: 

— Equality, inequality, the Boolean connectives and the quantifiers take their 
usual meanings. 

— The purposes of term(/>i) = p 2 and queue(pi) = p 2 are to pick up the 
values of terms and queues associated with a given pid pi. term(/>i) = p 2 
requires pi to equal the pid of a process which is part of the system state 
being predicated, and the Erlang expression associated with that pid to be 
identical to p 2 - Similarly queue(pi) = p 2 holds if the queue associated with 
Pi is equal to p 2 - 

— atom(/>) holds if p is equal to an atom. 
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Local rules 

SEQ : 

CASE : 

EUN : 



V , e — > e 

case V of m end — > val-match(v, m) if val-match(v,m) is defined. 
/ V — > case V of m end if / = m. 



Process rules 




LOCAL : 


(r[e], pid, q) — > (i'[e*]) pid, q'j if e — > e^ 


SELF : 


(r[self], pid, g) — > (r[pid], pid, q) 


SPAWN : 


(r[spawa{ f,v)],pid,q) — > (^r[pid'], pid, q'j || (^f v, pid' , c'j ii pid' besh. 


SEND : 


pid^ ^ V 

{r[pid'\v], pid, q) > {r[v],pid,q) \i p>id ^ p>id' . 


SELF-SEND : 


[r[pid\v], pid, q) — > pid, q ■ v) 


RECEIVE : 


(r[receive m end], pid, q ■ v ■ q") — > (requeue- matcH^q ■ v, m)],pid, q' 
if queue-match{q' ■ v, m) is defined. 


INPUT : 


p%d‘^ V 

(e,pid, q) > (e,pid, q ■ v) for all values v. 



System rules 

COM : 

interleave! : 

INTERLEAVE 2 : 
INTERLEAVES : 



Si II S2 

Si II S2 
Si II S2 
Si II S2 



/ II f -r P^dlv , 
Si II S2 if Si > Sj 



> Sj II S2 if Si > Sj. 

pidlv I pidlv 

> Si II S2 if Si ! 

pidlv I pidlv 

> Si S2 if Si > 



pidlv I 

and S2 > S2- 

/ 

- Si . 

sj and foreign(pid)(s2). 



Table 1. Operational semantics of Core Erlang 




160 



M. Dam, L. Fredlund, and D. Gurov 



— local(p) holds if p is equal to the pid of a process in the system state being 
predicated, and analogously foreign(p) holds if p is equal to a pid and there 
is no process with pid p in the predicated system state. 

— unevaluated(p) holds if local(p) does and the Erlang expression associated 
with p is not a ground value. 

— Ocf) holds if an internal transition is enabled to a system state satisfying (fi. 
[ ](/) is the dual of Ocf) (i.e. all states following an internal transition satisfy 
(f)). <pi\p 2 >(t) holds if an output transition with appropriate parameters is 
enabled to a state satisfying (f), and <P\!p2>4' i® used similarly for input 
transitions. 

— PlZ{V\, . . . ,Vn)-4> is the least inclusive predicate Z satisfying the equation 
(f) = Z(Vi, . . . , Vn), while i>Z(Vi, . . . , Vn)-4> is the most inclusive such predi- 
cate. 

As is by now well known, monotone recursive dehnitions in a complete Boolean 
lattice have least and greatest solutions. This is what motivates the existence 
of predicates Z above. Greatest solutions are used, typically, for safety (i.e. in- 
variant) properties, while least solutions are used for liveness (i.e. eventuality) 
properties. For readability we often prefer the notation /(Vi, . . . , Vn) (f> for 
dehning explicitly a formula atom / which is to be applied to pattern vectors 
(pi, . . .,Pn), instead of the standard notation for least Rxpoints, and similarly 
f(Vi, . . . , Vn) => (f> for greatest ones. In such definitions all value variables oc- 
curring freely in (f) have to be in Vi , . . . , Vn ■ 

We use standard abbreviations like true, false and VVi, . . . ,Vn-4>- It is possible 
to define a de Morganised negation not, by the standard clauses along with 
clauses for the Erlang specific atomic propositions term(pi) = p 2 , queue(pi) = 
P 2 , local(p), foreign(p), or unevaluated(p). This is an easy exercise given the 
formal semantics in table 2 below. 

Definition 4 (Boolean Formnla). A formula <f) is boolean if it has no oe- 
eurrenees of modal operators, neither oeeurrenees of any of the Erlang- speeifie 
atomie propositions term(pi) = p 2 , queue(pi) = p 2 , local(p), foreign(p), or 
unevaluated(p). 

Boolean formulas are important as they either hold globally or not at all. 

The formal semantics of formulas is given as a set || <f) \\rj C S, where rj is 
a valuation providing interpretations for variables (value variables, or predicate 
variables). We use the standard notation rj{v/V} for updating rj so that the 
new environment maps V to v and acts otherwise as rj. Predicate maps / : 
(vi,...,Vn) A C 5 are ordered by < defined as subset containment lifted 
pointwise. 

Definition 5 (Formnla semantics). The semanties of formulas is defined by 
table 2, where in the last two defining eguations, M(f)(vi, . . . ,Vn) = || '(' || 
V{f/Z,vi/Vi, . ,.,Vn/Vn}. 
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\ PiV = P2n} 


II Pi / P2 


n 


A 


{s 


1 PH? / P2n} 


term(pi) = p 2 


n 


A 


{{P2V,PiV,g) h* Pi»? is a pid} 


queue(pi) = p 2 


n 


A 


{b 


PiV,P2v) s PH? is a pid) 


II local(p) 


n 


A 


{b 


PVt ?) II ^ 1 PV is a pid) 


II foreign(p) 


n 


A 


{s 


1 p»? is a pid that does not belong to a process in 


II atom(p) 


n 


A 


{s 


1 pr] is an atom) 


II unevaluated(p) 


n 


A 


{b 


pr], ?) II s 1 e is not a ground value, prj is a pid) 


<I>1 A <t>2 


n 


A 


lU 


1 Ih n II ||»? 


<t>l V (j>2 


n 


A 


lU 


1 Ih U II ||»? 


II yv.4, 


n 


A 


n {|| (t> \\v{v/V} 1 V a value} 


II 3^.0 


n 


A 


U {ll ^ llvlu/V} 1 V a value) 


II o<t> 


n 


A 


{s 


LU 

m 


<PiTp2><i> 


n 


A 


{s 


in / ^ II 2 II PlV^P2V 

1 3 s G II i/i ||»?. s > s 1 


<Pl'-P2><{> 


n 


A 


{s 


1 3 s G II i/i ||»?. s > s 1 


II []^ 


n 


A 


{s 


1 V sF s — > s' implies s* G || i/i || »?} 


II bi?P2]'/' 


n 


A 


{s 


1 V s', s PAlIlZX s' implies s' G || i/i || »?} 


II \Pl'P2\ll> 


n 


A 


{s 


1 V s', s s' implies s' G || i/i || »?} 


II ^(pi, . . . ,p„) 


n 


A 


{Zr]){pir], . . .,PnV) 



II . . ,Vn).(f>){pi, . . .,Pn) \\V 

= (fl {/ I ^(/) < /}) (Pl*?’ • • • ’P"*?) 

II (l^Z(Vl, . . . ,Vn).(l>)(pi, . . . ,Pn) \\v 

= {{J{f \ f < ^if)})iP^V,---,PnV) 



Table 2. Formula Semantics 
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Example Formulas The combination of recursive definitions with data types 
makes the logic very expressive. For instance, the type of natural numbers is the 
least set containing zero and closed under successor. The property of being a 
natural number can hence be dehned as a least Rxpoint: 

nat{P)^P = 0V3V.inat{V)AP = V+l) ( 1 ) 

Using this idea quite general flat data types can be defined. One can also de- 
fine “weak” modalities that are insensitive to the specific number of internal 
transitions in the following style: 

Observe the use of formula parameters, and the use of = for non-recursive 
definitions. A temporal property like always is also easily defined: 

always{(j)) => 

({) A [ ]always((l)) A VU, V' .[V7V']always((l)) A VU, V' .[V\V']always((l)) (2) 

The definition of always illustrates the typical shape of behavioural properties: 
one mixes state properties ((f)) with properties concerning program transitions, 
separated into distinct cases for internal transitions (i.e. []always((l))), input 
transitions and output transitions. 

Eventuality operators are more delicate as progress is in general only made 
when internal or output transitions are taken. This can be handled, though, by 
nesting of minimal and maximal definitions. 

Billing Agents: Speeifieation We enumerate some desired properties of the billing 
agent system introduced in the previous section. 

Disallowing spontaneous aeeount withdrawals. The first correctness requirement 
forbids spontaneous withdrawals from the user account by the billing agent. This 
implies the invariant property that the number of attempts for transfers from 
the user account should be less than or equal to the number of requests for using 
the resource: 

safe{Ag, BankPid, UAcc, N) => 

[ ]safe(Ag, BankPid, UAcc, N) 

A VP,U.[P?U] 

( isuse(P, V, Ag) A safe(Ag, BankPid, UAcc, A -|- 1) 

V not(isuse(P, V, Ag)) A safe(Ag, BankPid, UAcc, N) 

V contains(V, UAcc) 

A yp,v.[p\v] 

/ istrans(P, V, BankPid, UAcc) A A > 0 A safe(Ag, BankPid, UAcc, A — 1) 
y V not {istrans(P, V, BankPid, UAcc)) A safe[Ag, BankPid, UAcc, A) 
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where the predicates isuse and istrans recognise resource requests and money 
transfers: 

isuse{P,V, Ag) = P = Ag /\3Pid.V = {use, Pid} 
istrans{P, V, BankPid, UAcc) = 

P = BankPid A (3Pid, Acc. V = {trans, { UAcc, Acc}, Pid) 

So, a billing agent with pid Ag, pid of a trusted bank agent BankPid, and 
user account UAcc is dehned to be safe if the difference N between the num- 
ber of requests for using the resource (messages of type {use, Pid} received 
in the process mailbox) and the number of attempts for transfers from the 
user account (messages of type {irans, {UAcc, Acc}, pid} sent to BankPid) is 
always non-negative. Since this difference is initially equal to zero, we expect 
biUageni(ResPid , BankPid , RAcc, UAcc) to satisfy safe(Ag, BankPid, UAcc, 0 ). 
The predicate contains (v, v') is dehned via structural induction over an Erlang 
value (or queue) v and holds if v' is a component of v (such as v being a tuple 
V = {vi,V2} and either t; = t;' or coniains(vi, v') or coniains(v2, v')). We omit 
the easy dehnition. 

Expected Service is Received. Other interesting properties concern facts like: De- 
nial of service responses correspond to failed money transfers, and returning the 
resource to the proper user. These sorts of properties are not hard to formalise 
in a style similar to the hrst example. 

Preventing Abuse by a Third Party. The payment scheme presented here depends 
crucially on the non-communication of private names. For instance, even if we can 
prove that a resource manager or billing agent does not make illegal withdrawals 
nothing stops the resource manager from communicating the user account key 
to a third party, that can then access the account in non-approved ways. 

Thus we need to prove at least that the system communicates neither the 
user account key nor the agent process identiher. Perhaps the service user also 
requests that her identity not be known outside of the system, in such a case the 
return process identihers may not be communicated either. As an example, the 
property that the system does not communicate the user account key is captured 
by notrans( UAcc) given the dehnition below. 

notrans(A) => [] notrans(A) 

A VE, V .\yiV'\ (contains(V' , A) V notrans(A)) 

A VE, E'.[E!E'] (not(contains(V' , A)) A notrans(A)) 

4 Proof System, Local Rules 

In this section we give the formal semantics of sequents, present the most im- 
portant rules of the proof system and establish the soundness of the proof rules. 
Consideration of hxed points and discharge is delayed until later. 
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Sequenis We start by introducing the syntax and semantics of sequents. 

Definition 6 (Seqnent, Seqnent Semantics). 

1. An assertion is a pair s : <f>. An assumption is an assertion of the shape 
either S : f or {E, P, Q) : f. 

2. A valuation rj is said to validate an assertion s : <f) when sry g|| ()) || ry, 

3. A sequent is an expression of the shape P \~ A where P is a multiset of 
assumptions, and A is a multiset of assertions. 

4 . The sequent P \~ A is valid, written P \= A, provided for all valuations 
rj, if all assumptions in P are validated by rj, then some assertion in A is 
validated by rj. 

We use standard notation for sequents. For instance we use comma for mul- 
tiset union, and identify singleton sets with their member. Thus, for instance, 
P, S : f is the same multiset as T U {S' : <))}. 

Boolean formulas are independent of the system state being predicated. Thus, 
when (f) is boolean we often abbreviate an assertion like s : f as just f. 

Proof Rules The Gentzen-type proof system comes in a number of installments. 

1. The struetural rules govern the introduction, elimination, and use of asser- 
tions. 

2. The loqieal rules introduce the logical connectives to the left and to the right 
of the turnstile. 

3. The equality rules account for equations and inequations. 

4. The atomie formula rules control the Erlang-specific atomic formulas such 
as the term and queue extractors, predicates such as local and foreign, 
etc. 

5. Finally the modal rules account for the modal operators. 

It should be noted that, as we for now lack completeness results, the selection 
of rules which we present is to some extent arbitrary. Indeed some rules have 
deliberately been left out of this presentation for reasons of space. This is the 
case, in particular, for the groups (4) and (5). We comment more on this below. 
Moreover, because of the lack of completeness or syntactical cut-elimination 
results, we know little about admissibility of several rules such as Cut below. 

Struetural Rules 



Id 



P, s : f h s : A 

PSA 

WeakL 

P,s:(f) S A 

P, s : f, s : f h A 
P,s:S h Zi 



Bool Id 



P,fS f, A 

PSA 



Boolean 



WeakR 



ContrL 



ContrR 



P S s :f,A 
P S s : 6, s : 6, A 



P S 



,A 
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Cut. 



r h 






r,s: d> h A 



r ^ A 



r \- Si : 'Ip, A r, S : pj \- S 2 '■ <l>, A 

ProcCut ^ 1 S fresh 

r h S 2 {si/S} :f,A 

Observe that the standard cut rule is not derivable from the process cut rule as 
in Cut the system state s might appear in F or A. 

Logical Rules 

F,s ■. fi,s ■. f>2 b Zi » -b h s\fi,A r h s-.f)2,L\ 

AndL AndK 



OrL 



r,s : (f>i A(f>2 b ^ 
r, s : (f>i h A 



r, s : d)-] V <f)2 b A 



r h s : (f>i A <f>2, ^ 

r,s : (P2 ^ ^ F \- s : (l)i,s : (1)2,^ 

- OrK 



F h s : fiV (p2,^ 



F,s : fivlV} A A F A s: 6 , A 

AIIL ^ AIIR^^- . V fresh 



F, s : W.f b Zi 



F, s : (f> h A 

ExL V fresh ExR 



F A s : \/V.(f>,A 

F A s: (f,{v/V},A 



F,s : 3V.(f> A A F A s : 3V.(f),A 

We claim that for the full proof system the left and right not introduction rules 

F, s : not 6 \- A F \- s : not 6. A 

NotL 1 NotR 

F A s :(f),A F,s:(f) A A 

are derivable. Given this a number of other useful rules such as the rule of 
contradiction 

F \- s'.f, A F \- s:not(/),Zi 

Contrad 



F \- A 



become easily derivable as well. 



Equality Rules For the rules which follow recall that op ranges over data type 
constructors like zero, successor, unit, binary tupling, etc. 



RefI 



Subst 
Constrineq 
ConstrEqL 
ConstrEqR . 



F h p = p, A 
F{pi/V} b A{pi/V} 
r{p2/v},pi = P2 b a{p2/v} 
op yt op' 

r, Op{pi ,...,Pn) = op'ijj'^ b zi 

r, Pi = p'i A 

r,0p{pi,...,pn)= Op{p'i,...,p'„) h Zi 

F \- pi=p'j^,A ■■■ r\-p„=p'„,A 



r h Op(pi, . ..,Pn) = Op{p'-^,. ,.,p'„),A 
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Atomic Formula Rules For the Erlang-specific primitives we give only a sample 
here, of rules governing the term and queue extraction constructs. 



TermL 



r,E = p h A 



TermR 



ParTerm 



r, [E , Put, Q) : term(Pid) = p \~ A 
r P pi= P2,A 

E h (pi,ptd,q) :term{ptd) = P2,A 
E \- Si : term(pi) = p2, A 



QueueL 

QueueR 



ParQueue 



i" h Si II S2 : term(pi) = p2, A 
E,Q = p h A 

E, {E , Pid, Q) : queue^Pid) = p \~ A 
E h p 2 =P 3 ,A 

E h (pi,pid,p2) : queueipid) = P3,A 
E \- Si : queue(pi) =p2,A 



r h Si II S2 : queue(pi) =P2,A 



Modal Rules The rules governing the modal operators come in three flavours: 
Monotomcity rules that capture the monotonicity of the modal operators as 
unary functions on sets, transition rules (“model checking-like rules”) that prove 
modal properties for closed system states by exploring the operational semantics 
transition relations, and compositional rules that decompose modal properties 
of composite system states in terms of modal properties of their components. 



Monotomcity Rules The monotonicity rules are similar to well-known rules from 
standard Gentzen-type accounts of modal logic. Let a stand for either no label 
or for a label of the form p\!p2 or p\\p2- 

r,S : <f>,S : : <f>^ h S : iPi, . . . , S : iPn, A 

Monl S fresh 

r, s : s : , s : P s : <a>ipi, . . . , s : <a>ipn, A 



Mon2 



r,s (j>m P s -.ip,s -.ip„,A 

r, s : . . . ,s : P s : [a]p, s : <a>ipi, . . . ,s : <a>ip„, A 



S fresh 



Transition Rules The transition rules explore symbolic versions of the opera- 
tional semantics transition relations. These relations have the shape 

pre,a,post . 
s ^ s 

where pre is a (Rrst-order) precondition for firing the transition from s to s', a (as 
above) is the transition label, and post is the resulting (Rrst-order) postcondition 
in terms of e.g. variable bindings. Since the transformation of the semantics in 
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table 1 to a symbolic one is straightforward, we will only give a single example 
of the transformation where the original rule 



SEND : {r[ptd'\v\,ptd,q^/ 
becomes the symbolic rule 



pid'lv 



(r[r>], ptd, q) if pid pid' 



SEND. : ^ 



The transition rules now become the following two: 



Diamond 



r, pre, post \- s' : (f) F \~ pre s 
r \- s : <a>(f> 



pre, a, post , 



Box 



{_T, a = a' , pre, post h s' : 

r \- s : [a]<l) 



pre, a', post , 
s ^ s I 



In the rule Box we use a = a' as an abbreviation. If a and a' have different sorts 
(e.g. a is empty and a' is not) then ex = ex' abbreviates false. If a and a' are both 
empty, ex = ex' abbreviates true. If a and a' are both send actions, e.g. a = pi!p2 
and a' = p)!p>2 then ex = ex' abbreviates the conjunction pi = p) A P2 = P2- A 
similar condition holds if a and a' are both input actions. 



Compositional Rules We give rules for inferring modal properties of composite 
system states si || S2 in terms of modal properties of the parts si and S2- 



DiaParl 



r,Si-.f,S2:if^ Si \\S2:9,A 
r,si : <pi!p2><?i, S2 : <pi7p2>ip b si || S2 : <>0,A 



Si , S 2 fre.sh 



DiaPar2 



r,s -.f s s\\s2-.ip,A 

r,si : of) h Si II S 2 : 0-ip,A 



S fresh 



DiaParS 



r,s -.f S S\\s 2 :i),A 
r,si : <pi7p2>f) h Si II S2 : <pi7p2>-ip,A 



S fresh 



r, S : <f> \- S \\ S 2 '. ip, A r \- S 2 '. f oreign(pi) 

DiaPar4 1 " ^ ^ ’ S fresh 

r,si : <pi\p2><f> b Si II S2 : <pi\p2>ip,A 
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r,S,:4>i H 

r, Si : -ip[],S 2 ■■ (t )2 1“ 51 II S 2 : 
r,S 2 -.h 5 52 : []e^^,A 
r, Si : <l)i,S2 ■■ 6'[] I- Si II 52 : 
r, 5i : (/ii h 5i : [V\V] il)[v\v],A 
r, S 2 '■ <j)2 5 52 : [V^T’K'] O^v^v], ^ 
r,Si : ip[v\v’],S2 '■ 0[V2V] 5 5i || 52 : </) 
r, Si ■. (j)i S Si ■. [!/?!/'] t/>[v7v/], zi 
r,S2-(f>2 5 S 2 '■[V\V']9[v\v],A 
r,Si : i’\v 2 V'],S 2 ■ 9\v\v'] 5 5i || 52 : 
r, Si ■. (I)1,S2 ■■ (t)2 5 Si II S2 : [] Zi 



5i , 52 , V, V fresh 



BoxPar2 



r,Si:<f>i S Si :\pi7\p2]f’\p,-!<p^],A 

r,Si : t/>[pj?ip2], S2 ■■ f>2 5 5i II S2 : 
r, S 2 ■■ f >2 S 2 ■■ [pi'^lp'j] 6'[pi7.p^], Zi 
r, Si : (?^ 1 , 52 : 9\piiip2] 5 si || 52 : 
r, Si : fi, S2 : f>2 5 si || S 2 : \pi‘?lp2] <f>, A 



Si , S 2 fresh 



The last two rules are less complex than they appear. They just represent the 
obvious case analyses needed to infer the a-indexed necessity properties stated in 
their conclusions. For instance in the case where a is empty it is clearly required 
to analyse all cases where either 



— Si performs an internal transition and S2 does not, 

— S2 performs an internal transition and si does not, 

— Si performs a send action and S2 performs a corresponding receive action, 
and 

— S2 performs a send action and si performs a corresponding receive action. 



In fact, the last two rules are simplihed versions of more general rules having 
multiple assumptions about si and S2 in the conclusion. However, a formal state- 
ment of these rules, while quite trivial, becomes graphically rather unwieldy. 

Observe that these rules deal only with composite system states of the form 
Si II S2. Related compositional rules are needed also for singleton processes 
(e, ptd, q), to decompose properties of e in terms of properties of its constituent 
parts. For closed processes, however, and for tail-recursive programs e (as is the 
case in the main example considered later), the transition rules are quite ade- 
quate, and so this collection of compositional proof rules for sequential processes 
is not considered further in the present paper. 



Theorem 1 (Local Soundness). Eaeh of the above rules is sound, i.e. the 
eonelusion is a valid sequent whenever all premises are so and all side eonditions 
hold. 



Proof. Here we show soundness of the more interesting rules only; the proofs of 
the remaining rules are either standard or similar to these. 
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Rule ProcCut. Assume the premises of the rule are valid sequents. Assume 
all assumptions in F are validated by some arbitrary valuation rj. Then validity 
of the Rrst premise implies that also some assertion in si : ip, A is validated by 
rj. Since S is fresh (i.e. not free in F or A) and since sirj equals S'ry{siry/S'}, 
some assertion in S' : ip, Ais validated by ry{sity/S}. Then either some assertion 
in A is validated by ry{sity/S}, or all assertions in F,S : ip are validated by 
rj{siri/S}. In the latter case, the validity of the second premise implies that also 
some assertion in S2 '■ <pj ^ is validated by Since S is fresh and since 

S2f]{sif]/S} equals S2{si/S}?y, some assertion in S2{si/S} : (p, A is validated by 
rj. Hence the conclusion of the rule is also a valid sequent. 



Rule Monl. Assume the premise of the rule is a valid sequent. Assume all 
assumptions in F,s : <a><p,s : [a\(pi, . . . , s : are validated by rj. Then, 

according to the semantics of the ’’diamond” and ’’box” modalities, there is 
a closed system state s' such that srj — e s' and s' satisfies all formulas in 
<p, <pi, . . . , (prn under rj. Since s' equals Srj{s'/S}, and since S is fresh, all as- 
sumptions in F, S : (p, S : (pi, ..., S : pm are validated by ry{s'/S'}. By validity 
of the premise, some assertion in S' : ipi,...,S : ipn, A is also validated by 
?y{s'/S}. This means that either some assertion in A is validated by rj, or s' 
satisfies some formula in ip\, . . . ,'Pn under rj, and consequently some assertion 
in s : <a>ipi, . . . , s : <a>ip„, A is validated by rj. Hence the conclusion of the 
rule is also a valid sequent. 

Rule DiaParl. Assume the premise of the rule is valid. Assume all assumptions 
in T, Si : <Pilp2>P, S2 '■ <P\!p2>'P are validated by rj. Then there are closed 



P1V-P2V , mi 
^ s e 



rj and S2?y 



Pir]7p2T] 



system states s' and s" such that sirj 
s" e|| Ip II rj. Since s' equals S'i?y{s'/S'i, s"/S'2} and s" equals S'jrjPs' / Si, s" / S 2 }, 
and since and S2 are fresh, all assumptions in T, p, S2 '-ip are validated 
by ry{s'/S'i , s'YS'2}. Then, by validity of the premise, some assertion in || 
S 2 '■ 6, A is also validated by rj{s' /Si, s" /S 2 }- As a consequence, either some 
assertion in A is validated by ry, or s' || s" g|| 6* || ry. In the latter case we have 

si?y II S2?y — ^ s' II s" g || 6 || rj, and therefore some assertion in si || S2 : <>9, A 
is validated by rj. Hence the conclusion of the rule is also valid. 

Rule BoxParl. The proof is along the lines of the preceding ones and shall only 
be sketched here. Assume the premises to the rule are valid sequents. Assume 
all assumptions in F,si : pi,S2 '■ p2 are validated by rj. Then, from the first 
two premises it follows that either some assertion in A is validated by rj, or it 



is the case that for every closed system state s such that si?y — ^ s, process 
s II S2rj satisfies p under rj. Similarly, the next two assumptions imply that 



si?y II s satisfies p under rj whenever S2rj — ^ s. From the next group of three 

assumptions we obtain that s' || s" satisfies p under rj whenever si?y ^ s' 

7 

and S2rj ^ s" for some values v' and v" . The last three premises imply that 

v'7v" , , v'\v" 



s' II s" satisfies p under rj whenever si?y 



s' and S2rj 



for 



values v' and v" . As a consequence of these relationships, either some assertion 



in A is validated by rj, or every closed system state s such that si?y || S2rj — ^ s 
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satisfies (f) under rj. Hence, some assertion in si || S 2 '■ [] is validated by rj, 
and therefore the conclusion of the rule is valid. □ 

5 Inductive and Coinductive Reasoning 

To handle recursively dehned formulas some mechanisms are needed for success- 
fully terminating proof construction when this is deemed to be safe. We discuss 
the ideas on the basis of two examples. 

Example 1 (Comduction). Consider the following Core Erlang function: 

siream(N, Out) Out\N, siream(N + 1, Out). 

which outputs the increasing stream N , At-fl, #-1-2, ... along Out. The spec- 
ihcation of the program could be that it can always output some value along 
Out: 

stream ^spec{Oui) = always{3X .<e^Out\Xy>true) 

The goal sequent takes the shape 

Out yf # h [stream{N , Out), P, Q) : stream ^spee{Oui) . (3) 

That is, assuming Out P (since otherwise output will go to the stream 
process itself), and started with pid P and any input queue Q, the property 
stream ^spee{Oui) will hold. The Rrst step is to unfold the formula definition. 
This results in a proof goal of the shape 

Out yt _P h )stream(N , Out), P, Q) : always(3X.<^ OutlX^true). (4) 

Using the proof rules (4) is easily reduced to the following subgoals: 

Out ^ P {stream(N , Out), P, Q) : <^Out\N^true (5) 
Out yt _P h )stream((N + 1), Out), P, Q) : always(3X.<^ OutlX^true) (6) 
Out yt _P h )stream(N, Out), P, Q ■ V') : always(3X.<^ OutlX^true). (7) 

Proving (5) is straightforward using the local proof rules and fixed point unfold- 
ing. For (6) and (7) we see that these goals are both instances of a proof goal, 
namely (4), which has already been unfolded. 

Continuing proof construction in example 1 beyond (6) and (7) is clearly 
futile: The further information contained in these sequents compared with (4) 
does not bring about any new potentiality for proof. So we would like the nodes 
(6) and (7) to be discharged, as this happens to be safe. This is not hard to see: 
The fixed point 

(f) = always{3V.<e^Out\Vy>true) 

can only appear at its unique position in the sequent (6) because it did so in the 
sequent (4). We can say that (f) is regenerated along the path from (4) to (6). 
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Moreover, always constructs a greatest fixed point formula. It turns out that 
the sequent ( 6 ) can be discharged for these reasons. In general, however, hxed 
point unfoldings are not at all as easily analysed. Alternation is a well-known 
complication. The basic intuition, however, is that in this case sequents can be 
discharged for one of two reasons: 

1. Coinductively, because a member of A is regenerated through a greatest 
hxed point formula, as in example 1 . 

2. Inductively, because a member of F is regenerated through a least hxed point 
formula. 

Intuitively the assumption of a least hxed point property can be used to de- 
termine a kind of progress measure ensuring that loops of certain sorts must 
eventually be exited. This signihcantly increases the utility of the proof system. 
For instance it allows for datatype induction to be performed. 

Example 2 (Induction). Consider the following function: 

stream2(N + 1, Out) OutlN, stream2(N, Out) 

which outputs a decreasing stream of numbers along Out. If # is a natural 
number, stream2 has the property that, provided it does not deadlock, it will 
eventually output zero along Out. This property can be formalised as follows: 

evzero{Out) [ ]evzero{Out) A'^V.[Out\V]{V = 0 V evzero{Outj) 

The goal sequent is 

Out 7 ^ P, nat(N) h {stream2(N + 1, Out), P, Q) : evzero( Out) ( 8 ) 

where nat is dehned in (1). The least hxed point appearing in the dehnition of 
nat will be crucial for discharge later in the proof. By unfolding the function 
according to its dehnition we obtain the sequent: 

Out 7 ^ P, nat(N) h {(OutlN, stream2(N, Out)), P, Q) : evzero(Out) 

Now the formula has to be unfolded, resulting in a conjunction and hence in 
two sub-goals. The hrst of these is proved trivially since the system state can- 
not perform any internal transition when Out 7 ^ P . The second sub-goal, after 
handling the universal quantiher, becomes: 

Out 7 ^ P, nat{N) 

h {{OutlN , stream2(N , Out)), P,Q) : [OutlV\{V = 0 V evzero(Out)) (9) 

By following the output transition enabled at this state we come a step closer 
to showing that zero is eventually output along Out: 



Out 7 ^ P, nat{N), N = V \~ {stream2{N, Out), P, Q) : V = 0, evzero{Out) (10) 
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In the next step we perform a case analysis on N by unfolding nai(N). This 
results in a disjunction on the left amounting to whether N is zero or not, and 
yields the two sub-goals: 

Out ^ P,N = 0,N = V \- (stream2{N, Out), P,Q) :V = 0 (11) 

Out 7 ^ P, nat{N'), N = N' + l,N = V 

h {stream2(N,Out), P,Q) : evzero{Out) (12) 

The Rrst of these is proved trivially. The second can be simplified to: 

Out 7 ^ P, nat(N') h {stream2{N' -\- 1, Out), P, Q) : evzero{Out) (13) 

This sequent is an instance of the initial goal sequent (8). Furthermore, it was 
obtained by regenerating the least Rxpoint formula nat(N) on the left. This 
provides the progress required to discharge (13). 

Finitary data types in general can be specified using least Rxpoint formulas. 
This allows for termination or eventuality properties of programs to be proven 
along the lines of the above example. In a similar way we can handle program 
properties that depend on inductive properties of message queues. 

6 Proof Rules for Recursive Formulas 

The approach we use to handle Rxed points, and capture the critical notions 
of “regeneration”, “progress”, and “discharge” is, essentially, formalised well- 
founded induction. When some Rxed points are unfolded, notably least Rxed 
points to the left of the turnstile, and greatest Rxed points to the right of the 
turnstile, it is possible to pin down suitable approximation ordinals providing, for 
least Rxed points, a progress measure toward satisfaction and, for greatest Rxed 
points, a progress measure toward refutation. We introduce explicit ordinal vari- 
ables which are maintained, and suitably decremented, as proofs are elaborated. 
This provides a simple method for dealing with a variety of complications such 
as alternation of Rxpoints and the various complications related to duplication 
and interference between Rxed points that are dealt with using the much more 
indirect approach of [Dam98]. 

We Rrst pin down some terminology concerning proofs. A proof structure is 
a Rnite, rooted, sequent-labelled tree which respects the proof rules in the sense 
that if 7T is a proof node labelled by the sequent 6, and if tti, . . . , 7t„ are the 
children of tt in left to right order labelled by 6i, . . . , 6„ then 

1^1 • • • 

6 

is a substitution instance of one of the proof rules. A node tt is elaborated if its 
label is the conclusion of a rule instance as above. A proof is a proof structure 
for which all nodes are elaborated. In the context of a given proof structure we 
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write 7Ti ^ 7T2 if 7T2 is a child of tti. A path is a finite sequence U = tti, . . . , 7t„ 
for which tTj- ^ T^i+i for all i : 1 < i < n. Generally we use the term “sequent 
occurrence” as synonymous with node. However, when the intention is clear from 
the context we sometimes confuse sequents with sequent occurrences and write 
eg. bi 82 in place of tti ^ 7T2 when the sequents label their corresponding 
nodes. 



Ordinal Approximations In general, soundness of hxed point induction relies on 
the well-known iterative characterisation where least and greatest hxed points 
are “computed” as iterative limits of their ordinal approximations. This also 
happens in the present case. Let k range over ordinal variables. Valuations and 
substitutions are extended to map ordinal variables to ordinals. Let U, V range 
over hxed point formula abstractions of the form aZ(Vi , . . . , ¥„)■(!)■ We introduce 
new formulas of the shape and k < k' . Ordinal inequalities have their obvious 
semantics, and k < k' abbreviates k < k' V k = k' as usual. For approximated 
hxed point abstractions suppose hrst that U = crZ(Vi, . . . ,Vk).(t) and <r = v. 
Then 

' S, if a = 0 

II II ry= J U{U»'/Z} II rj{P,/Vi,...,P,/V,}, if a = a' + I 

. nill (-^1 ) • • • ) Pk) II ^ I < a}, if a limit ord. 

Dually, if (T = [i: 

'0, if a = 0 

II U^(Pi,...,Pk) II ry= J \\f{UP/Z} II rj{P,/Vi,...,P,/V,}, if a = a' + I 
. U{|l (Pi ) • • • ) Pk) II ^ I < a}, if a limit ord. 

We get the following basic monotonicity properties of ordinal approximations: 
Proposition 1. Suppose that a < a'. 

1. If U IS a greatest fixed point abstraetion then 

||G“'(Pi,...,P„)||ryC||G“(Pi,...,P„)||ry 

2. If U IS a least fixed point abstraetion then 

||G“(Pi,...,P„)||ryC||G“'(Pi,...,P„)||ry 

Proof. By wellfounded induction. □ 

Moreover, and most importantly, we get the following straightforward appli- 
cation of the well-known Knaster-Tarski hxed point theorem. 

Theorem 2 (Knaster-Tarski). Suppose that U = crZ(Vi, . . . , Vk).<j>. Then 



II G(Pi,...,P„) II ry 



n{|| U°^{Pi, . . . , Pn) W r] \ ce an ordinal}, if cr = 12 

U{|| U°^(Pi, . . . , Pn) \\ rj \ a an ordinal}, if a = /a 
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As the intended model is countable the quantihcation in theorem 2 can be re- 
stricted to countable ordinals. 

The main rules to reason locally about Rxed point formulas are the unfolding 
rules. These come in four flavours, according to whether the fixed point abstrac- 
tion concerned has already been approximated or not, and to the nature and 
position of the fixed point relative to the turnstile. 



UnfLl 



UnfRl 



r,s: U'^iPi,...,Pn) b zi 

ApprxL U Ifp, K fresh 

P,s:UiPi,...,Pn)h A 

T h s : W^(Pi,...,P„),A 

ApprxR 1_ ^ U gfp, K fresh 

P^ s:U{Pi,...,Pn),A 

P,s:^{U/Z,PjVi,...,Pn/Vn}^ A 

P,s:UiPi,...,Pn)h A 

P^ s:^U/Z,Pi/Vi,...,Pn/Vn},A 

P^ s:U{Pi,...,Pn),A 



U = aZ{Vi,...,Vn)4 
U = aZ{Vi,...,Vn).^ 



P,S:HU^^/Z,Pl/V^,...,Pn/Vn},K^<KhA 

UnfL2 U lip, Ki iresh 

P,s:U^{Pi,...,Pn)^ A 

P,K,<Khs:4>{U^^/Z,P,/V,,...,PjV^},A 

UnfK2 U gip, Ki iresh 

Ph s:U-iPi,...,Pn),A 



<KD4>{U^^/Z,Pi/Vi,...,Pn/Vn}^ A 

UnfL3 ^ ^ 

P,s:U^{Pi,...,Pn)^ A 

,, P ^ s : Ki < K A /Z, Pi/Vi, . . . , P„/V„}, A 

UnfR3 ^ ^ 

PAs:U^{Pi,...,Pn),A 



U gfy 



U Ifp 



Normally we would expect only least fixed point formula abstractions to appear 
in approximated form to the left of the turnstile (and dually for greatest fixed 
points). However, ordinal variables can “migrate” from one side of the turnstile 
to the other through one of the cut rules. Consider for instance the following 
application of the process cut rule: 



T h S2 : T, 5 : h Si : 

Th si{s2/5} : 

In this example U may be a greatest fixed point formula which, through some 
earlier application of ApprxR has been assigned the ordinal variable k . The second 
antecedent has occurring to the left of the turnstile. 

In addition to the above 8 rules it is useful also to add versions of the identity 
rules reflecting the monotonicity properties of ordinal approximations, prop. 1: 

P K < k' , A 

Id Mon 1 , U Ifp 

P, s : U^{Pi,. ..,Pn)^ s:U^ {Pi,...,Pn),A 
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r \- K > k', A 

ldMon2 , U gfp 

r,S-.U'^{Pl,...,Pn)y S-.V^ {Pi,..., Pn), A 

Additionally a set of elementary rules are needed to support reasoning about 
well-orderings, including transitivity and irreflexivity of <. These rules are left 
out of the presentation. 

For the above rules we obtain the following basic soundness result: 

Theorem 3. Phe rules ApprxL, ApprxR, UnfLl, UnfRl, UnfL2 and UnfR2 are 

sound. 

Proof. Rules ApprxL and ApprxR. For ApprxL assume P, s : IP^lPi, . . . , Pn) \=k,k 
A, and that k is fresh. Assume also that P and s : U{Pi, . . ., Pn) holds, up to 
some valuation. Then, for this valuation, so does s : U°^{Pi, . . . , Pn) for some 
ordinal a. But then we hud that some assertion in A is true as well, completing 
the case. For ApprxR the dual argument applies. 

Rules UnfLl and UnfL2. The soundness of these rules follows directly from the 
fact that aZ(Vi, . . . , Vn).4> is a parametrised Rxed point of f. 

Rules UnfL2 and UnfR2. We consider UnfL2. Assume that 

P, S : f{U^^/Z, Pi/Vi,. . . , Pn/Vn}, Ki<K^ A. 

Assume also that 17 is a least fixed point abstraction, and that ki is fresh. Assume 
furthermore that a valuation is given, making P and U°^{Pi, . . . , Pn) true. Either 
a is 0, or a = ai -L 1, or a is a limit ordinal. The first case is contradictory. For 
the second case we get the ki we are looking for directly, and some assertion 
in A is established as desired. For the third case we find some ex\ < a such 
that . . . , Pn) is true. We can assume that ex\ is a successor ordinal. But 

then the previous subcase applies, and we are done. Again UnfR2 is proved by a 
symmetric argument. 

Rules UnfL3 and UnfR3. We consider UnfL3. Assume that 

P,.s:ki<kD HU^^/Z, Pi/Vi,. . . , Pn/Vn} N 

Assume also that a valuation is given such that P and s : U°‘{Pi, . . . , Pn) is 
true. Then whenever a\ < a, s \ /Z, Pi/Vi, . . . , Pn/Vn} is true as well. If 

a = 0 this is trivially so. If a is a successor ordinal it follows by prop. 1, and if 
a is a limit ordinal we know that whenever a'l < a then s : . . . , Pn), 

so s : / Z , Pi/V\, ..., Pn/Vn} . In any case we can conclude that some 

assertion in A must be true, finishing the argument. Again UnfR3 is symmetric. 
Rules IdMonl and ldMon2 are trivial, given 1. □ 

Dtseharge: Some Intuition The fundamental problem in arriving at a sound, yet 
powerful, rule of discharge, is to control the way fixed points may interfere as 
proofs are elaborated. We illustrate the problem by two examples. 

Pxample 3. Consider the proof goal 

S :vZi.piZ2.[]Zi PMP,V.[P\V]Z2 h S : nZ3.vZi.[]Zi PM P,V.[P\V]Z3 (14) 
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The assumption states that any inhnite sequence of internal or send transitions 
can only contain a hnite number of consecutive send transitions, while the as- 
sertion states that any inhnite sequence of internal or send transitions can only 
contain a hnite number of send transitions. Thus (14) is false. 

Let us introduce the following abbreviations: 

Ui = vZi.^Z 2 .[]Zi A\/P,V.[P\V]Z 2 
U 2 =aZ 2 .[]Ui A'iP,V.[P\V]Z 2 
U 3 = nZ 3 .vZi.[]Zih\IP, V.[P\V]Z 3 
Ui = vZi.[]ZiA^P, V.[P\V]U3 



We start by rehning (14) to the subgoal 

A S : Ul* (15) 

using the rules UnfLl, UnfRl, ApprxL and ApprxR. Continuing a few steps further 
(by unfolding the hxed point formulas and treating the conjunctions on the left 
and on the right) we obtain the two subgoals 

S :[]Ui,S :'iP,V.[P\V]U3^K'3< K2,n'i< m h S:[]Ui^ (16) 

S :[]Ui,S :^P,V.[P\V]U3 \k'^< K2,k'^< Ki h S :^P,V.[P\V]U3 (17) 

Subgoal 16 is rehned via rule Mon2 to 

S' :Ui,S: \fP, V.[P\V]U 3 S K '3 < K 2 , < < K 4 h S" : (18) 

and after unfolding U\ using UnfLl we arrive at 

S' :U 2 ,S : SP, V.iPWp^S < K 2 , k'^ < m S S' : (19) 

which sequent one might expect to be able to discharge against (15) by coinduc- 
tion in K 4 . By the same token when we rehne (17) to 

S : [pi, S' : ufsP < K 2 ,P < S S' : Ui (20) 

we would expect to be able to discharge against (15) inductively in K 2 - This 
does not work, however, since derivation of (19) from (15) fails to preserve the 
induction variable K 2 needed for ( 20 ), and vice versa, K 4 is not preserved along 
the path from (15) to (20). Therefore, the inhnite proof structure resulting from 
an inhnite repetition of the above steps contains paths in which neither of the 
two variables is actually being preserved and decremented inhnitely many times, 
and hence the attempted ordinal induction fails. It would still have been sound 
to discharge if at least one of the two ordinal variables had been preserved in 
the corresponding other branch; then there would have been no such paths. 
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Example 4- Consider the (reversed) proof goal 

S : iaZimZ2.[]Z2 A'iP,V.[P\V]Zi h S : ixZ3.iaZi.[]Z3 AyP,V.[P\V]Zi (21) 

stating that if all inhnite sequences of internal or send transitions of a process 
can only contain a hnite number of send transitions, then these inhnite sequences 
of internal or send transitions can only contain hnite sequences of consecutive 
send transitions. This goal is obviously valid. 

The abbreviations we shall use are: 

Ui = ^Zi.vZ2.[]Z2 A\/P,V.[P\V]Zi 
U2 = vZ2.[]Z2A^P, V.[P\V]U"'^ 

U 3 = vZ 3 .nZi.[]Z 3 AMP, V.[P\V]Zi 
Ui = nZi.[]U3^ AMP, V.[P\V]Zi 

First we apply rules ApprxL, ApprxR, UnfL2 and UnfR2 to reduce (21) to the 
subgoal 

S : U 2 , k'i < Ki, K 3 < K 3 b S : Ui (22) 

Continuing in much the same way as in the preceding example we arrive at the 
two subgoals 



S' :U2,S : MP, V.[P\V]Ui' , < < ki, 4 < K 3 b S' : C 3 ^ (23) 

S : []U2, S' : U'4' , k'i < ki, K 3 < K 3 b S' : Ui (24) 

These subgoals are rehned, using UnfR2 and UnfL2 respectively, to 

S' :U 2 ,S: MP, V.[P\V]uf^ , 4 < ki, 4 < K 3 , 4 < 4 
M S' : iaZi.[p 3 ” A MP, V.[P\V]Zi (25) 

S:[p2,S' : VZ 2 .UZ 2 A MP, 1/.[P!1/]C"", 4 < «i, 4 < K 3 , 4 ' < 4 
M S' :Ui (26) 



These sequents can be discharged against (22) inductively in K 3 , and coinduc- 
tively in k\, respectively. In contrast with the previous example, here every 
ordinal variable which is used for induction (or coinduction) in one of the two 
leaves is preserved throughout the path to the other leaf. 

The Rule of Diseharge We now arrive at the formal dehnition of the rule of 
discharge. 



Convention 7. From this point onwards proof elaboration takes place in the 
context of some Rxed, but arbitrary linear ordering < on fixed point formula 
abstractions U . 




178 



M. Dam, L. Fredlund, and D. Gurov 



Assuming one fixed linear ordering can be too restrictive when recursive 
proof structures are independent. Below we briefly discuss ways of relaxing the 
construction to allow the linear ordering to be built incrementally. 

Below we dehne the critical notions of regeneration, progress, and discharge. 
Discharge is applied when facing a proof goal 7 t„ which is unelaborated, such 
that, below 7 t„ we Rnd some already elaborated node tti such that 7 t„ is in a 
sense an instance of tti. This requires variables present in tti to be interpreted 
as terms in 7 t„. This is what the substitution p of the following definition serves 
to achieve. 

Definition 8 (Regeneration, Progress, Discharge). Let iT = tti, . . . , 7t„ be 

a path sueh that iTn ts not elaborated. Suppose that tTj- is labelled by Fi h Ai for 
all i : 1 < i < n. 

F Fhe path II is regenerative for U and the substitution p, if whenever there 

IS a Ki sueh that IF^' is a subformula of Fi (Ai) then there also are k\, . . ., 

Ki-i, Kj-i-i, . . Kn sueh that for all j '■ I < j < n, IF^^ is a subformula of Fj 

(Aj), and Fj h Kj < Kj-i- Moreover we require that p{ni) = Kn- 

2. Fhe path II is progressive for U and p if we ean find ki, . . . , k„ sueh that: 

(a) For all i : 1 < i < n, IF^' is a subformula of Fi (Ai), and Fi h Ki < Kj_i. 

(b) p(ki) = Kn- 

(e) For some i : 1 < i < n, Fi h Ki < Kj_i. 

3. Fhe node iTn can be discharged against the node tti if we ean find some U 

and substitution p sueh that: 

(a) n IS regenerative for all U' < U and p. 

(b) n IS progressive for U and p. 

(e) For all assumptions s : f in F\, T„ h sp : fp, and all assertions s : f in 
Ai then sp : ()p\- An- 

In this ease we term iTn a discharge node and tti its companion node. 

In this definition we are being slightly sloppy with our use of IFs: Really we 
are identifying fixed point formula abstractions up to ordinal approximations 
except where they are explicitly stated. 

It is quite easy to verify that for Example 3 no linearisation of the fixed point 
formulas can be devised such that the nodes (18) and (19) can be discharged. On 
the other hand, for Example 4, any linear ordering which (up to approximation 
ordinals) has U 4 < IJ 2 will do. 

Observe that the linear ordering on fixed point formula abstractions can be 
chosen quite freely. One might expect some correlation between position in the 
linear ordering and depth of alternation, viz. example 4 above. In practice this 
is in fact a good guide to choosing a suitable linear ordering. However, as we 
show, we do not need to require such a correlation a priori. Moreover one can 
construct examples, using cut’s, of proofs for which the above rule of thumb does 
not work. 

Now, the full proof system is obtained by adding the proof rules for fixed 
points, including the rule of discharge, to the local rules of section 4. 
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Theorem 4 (Soundness, Recursive Formulas). The full proof system is 
sound. 

Proof. The proof is by induction on the size of proof trees. Assume a proof of root 
sequent Tq \~ Aq, and assume soundness for all proof trees of a strictly smaller 
size. Assume for a contradiction that Tq ^ Aq. We then hud a valuation rjo 
which invalidates Tq ^ Aq, i.e. which makes all assumptions in Tq valid, and all 
assertions in Aq invalid. We use this assumption to construct an inhnite rejeeiion 
sequenee S of sequent- valuation pairs (To \~ Aq, ryo)(Ai h Ai, rji) ■ ■ ■ such that for 
all i, rji invalidates Ti h Ai, and, considering nodes of discharge to be followed by 
their respective companion nodes, the sequent sequence (To h Zlo)(Ai h A\) ■ ■ ■ 
forms a run through the proof tree. Subsequently we use this sequence to derive 
a contradiction. 

The sequence S is constructed inductively. Assuming that the construction 
has reached the i’th element we show how to construct the {i -\- l)’th element 
depending on the rule by which Ti h Ai was elaborated in the proof. For all rules 
except discharge the construction is trivial, by the “local” soundness results. 
Theorems 1 and 3. So assume that Ti h Ai was discharged against T/ h A[ 
using substitution p as specihed by the dehnition of the discharge rule. We then 
dehne the {i -\- l)’st element of the sequence as (T/ h A[, rji o p) and show that 
rji.\.i = rji o p invalidates T/ h A'-. Let s : (() be any assertion in Tf By the 
induction hypothesis and condition 8.3.(c) we see that since all assumptions in 
Ti are validated under rji then so is s : (() under rji+i. Secondly let s : (() be any 
assertion in A'-. We need to show that sryi-i-i : frji+i is false. But if it were not, by 
the induction hypothesis and condition 8.3.(c) we would obtain some assertion 
in Ai which is valid under rji, and this is an impossibility since rji invalidates 
Ti h Ai. The construction is thus complete. 

Inhnitely often along S the discharge rule is applied. The proof being Rnite, 
the number of distinct fixed point abstractions that can appear in the proof is 
finite too. As a consequence we must be able to find a smallest U under < which 
is appealed to infinitely often (in 8.3) in applications of discharge along S. Let i 
be such that Ti h Ai is elaborated infinitely often through the rule of discharge 
by appealing to U , and that, for no j > i, is Tj h Aj discharged with reference 
to a U' which is strictly smaller than U . For some Ki we find an occurrence of 
in the corresponding sequent Ti h Ai, say that is a subformula of Ti. 
We then see that for each j > i we can find an ordinal variable Kj such that 
occurs as a subformula of Tj. We shall sketch an argument that the subformulas 
can be chosen so that the values assigned to Kj by pj form a sequence which 
is non-increasing and in fact infinitely often decreasing. But this is not possible, 
since ordinals are well-founded, and we hence shall arrive at a contradiction. 

Consider an arbitrary interval S(ji,jm) of S such that the first sequent 
rn ^ At is equal to the last Tj^ h Aj^ and does not occur inbetween. Then 
there must be an element in the interval whose sequent is a discharge node, and 
whose companion node is either Tj^ h Aj^ or is some sequent higher in the 
proof tree (i.e. closer to the root sequent). We shall call the earliest such element 
the eharaeierising element of the interval. The interval itself might contain other 
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intervals of the same shape. Moreover, one can choose these intervals in such a 
way that the elements not occurring in any of the intervals, the characterizing 
element being among them, form a simple run (i.e. a run not visiting any se- 
quent more than once) through the loop dehned by the discharge path for the 
characterising sequent. Given an initial partitioning of S into such intervals, one 
can iteratively apply this decomposition scheme until no interval can be further 
decomposed. Given an index j, we shall call the active interval the least interval 
of the above type containing both the j’th and the j -\- I’th element of S. 

We perform an initial partitioning of S in intervals S{ji,j„T,) so that h 
Aj-^ is the companion node of G 1“ and continue the decomposition process 
as described above. Starting from index j = i, we shall choose Kj according to 
the discharge condition for the path having as a discharge node the sequent from 
the characterising element of the active interval. If the current interval is charac- 
terised by Fi h Ai (which can only happen in outermost intervals) we choose Kj 
as for progression (cf. 8.2), in all other cases we choose Kj for regeneration (cf. 
8.1). The discharge condition and the induction hypothesis guarantee that the 
values assigned to Kj by ijj form a sequence which is non-increasing (in regen- 
erative intervals) and inhnitely often decreasing (in progressive intervals), thus 
yielding a contradiction. 

So, no such rejection sequence S can exist, and the assumption Fq ^ Aq 
must have been false. 

□ 



7 Verifying the Resource Manager 

In this section the proof system is demonstrated by outlining a proof that the 
resource manager function introduced in section 2 satisRes the safe specifica- 
tion defined in section 3. The proof will be kept informal. For instance we will 
write out neither ordinal variables nor the linear ordering on fixed point formula 
abstractions, since they can easily be added to the proof. Adding ordinal an- 
notations to the proof and taking them into account presents no real difficulty 
since the fixed point definitions in the example are fiat, i.e., they never refer to 
other fixed point definitions. 

For simplicity it is assumed that the manager knows of only one resource, 
with public name and private P^. The corresponding list [{T’u, Pr}] is referred 
to as Rl, and Rp denotes the process identifier of the resource manager process. 

Since the definition of safe is parametrised on a billing agent and a user 
account the formula must be preceded by an initialisation phase (notice the use 
of the weak modality [[a]] introduced in section 3): 

MPuhRes, UAcc, UserPid, Agent. 

[Rp7 {contract, {PubRes, UAcc}, UserPid}] 

[[UserPid\{contract_ok , Agent}]]safe( Agent , BankPid, UAcc, 0) 

So we set out to prove the following sequent: 

F h {rm(Rp, BankPid, RAcc), Rp, c) 
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: MPuhRes, UAcc, UserPtd, Agent. 

[Rp? {contract, {PuhRes, UAcc{, UserPtd}] . . . (27) 

The needed inequations on process identifiers (e.g., Rp Pr) are collected in 
P. By application of simple proof steps - four applications of AIIR and then 
repeated applications of the rules for unfolding, elimination of conjunctions, and 
the rule for the box modality - the following proof state is reached: 

P' h {rm(Rp, BankPtd, RAcc), Rp, e) 

II {btUagent(Pr, BankPtd, RAcc, UAcc), Bp, c) 

: safe{Bp , BankPtd, UAcc,0) (28) 

where P' is P extended with the fact that Bp is a fresh process identiher. This 
is a critical proof state, where we must come up with properties of the resource 
manager and the billing agent, that are sufhciently strong to prove that their 
parallel composition satisRes the safe property. In general such a proof step may 
be very difhcult, but here the choice is relatively simple: 

fa- The billing agent satisfies the safe property, i.e., safe(Bp, BankPtd, UAcc, 0). 
The billing agent communicates the user account to no process except the 
bank, unless some other process first sends it the account. 

4>c'- The resource manager does not communicate the user account, unless some 
other process first sends it the account. This property can be formulated as 
notrans(UAcc) given the definition of the notrans property at the end of 
section 3. 

fd'- The resource manager does not send a tuple containing the atom use in the 
first position (a usage request to a billing agent). 
fe'- The resource manager cannot receive messages sent to the bank process, nor 
can it receive messages sent to the billing agent. 

Properties ft,, fd and fg can easily be formulated in a manner similar to <j)g. 
Essentially these conditions guarantee that bank transfers are the result of user 
requests, rather than incorrectly programmed billing agents or resource managers 
that exchange information with each other. 

The result of applying the ProcCut rule twice, after generalising the proof 
goals, is the following proof obligations: 

U' ,not(contatns(BQ , UAcc)), countuse{BQ , M), M < N \- 

{btUagent(Pr , BankPtd, RAcc, UAcc), Bp, Bq) 

: safe{Bp, BankPtd, UAcc, N) A fg, (29) 

U' ,not(contatns(RQ, UAcc)) h [rm{Rp, BankPtd, RAcc), Rp , Rq) 

: notrans(UAcc) A <f>d A <f>e (30) 

P' , Si : safe(Bp, BankPtd, UAcc, N) A fi, S 2 '■ notrans} UAcc) A <f>d A <f>e 

:5'i||5'2 '■ safe(Bp , BankPtd , UAcc,N) (31) 
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To prove the leftmost conjunct in the goal (29) one has to show that the number 
of valid usage requests in the input queue (the parameter M in couniuse(BQ , M)) 
is always less than or equal to the number of transfer requests that are possible 
(the parameter N). This proof involves well-known techniques for proving cor- 
rectness of sequential programs, and the proof of 4 >}, is even less involved (proofs 
omitted). Instead we concentrate on the leftmost conjunct of (30), i.e., that rm 
satisRes noirans( UAcc) as long as no element in its input queue contains UAcc. 
The proofs of properties (j>d and <j)e follow the same pattern (details omitted). 
To prove (30) we first unfold the definition of noirans and eliminate the con- 
junctions. In case of an input step [!/?!/'] either we are done immediately (if 
contams{V' , UAcc)). Otherwise the resulting proof state is 

r' ,not(coniams(RQ, UAcc)),not(coniams(V' , UAcc)) h 

{rm(RL, BankPid, RAcc), Rp, Rq ■ V') : noirans( UAcc) (32) 

which can be rewritten into (by referring to the definition of contains) 

U' ,not(coniains(RQ ■ V' , UAcc)) h 
[rm{Rp, BankPid, RAcc), Rp, Rq ■ V') : noirans( UAcc) (33) 

which can be discharged against the leftmost conjunct of (30). The rm process 
can clearly not perform any output step so that part of the conjunction is trivially 
true. Thus only the internal step remains, and such a step must correspond to 
unfolding the application rm(Rp, BankPid, RAcc). The resulting proof state is: 

P' ,not(coniains(RQ, UAcc)) h 

{ca.se {Rp, BankPid , RAcc} of . . . , Rp, Rq) : notrans{UAcc) (34) 

By repeating the above steps, i.e., handling input, output and internal steps 
eventually one reaches the goal: 

P" ,not(coniains(RQ' , UAcc)) h 

{ UserPid\{contract_ok , B{}, rm{Rp, BankPid, RAcc) . . . , Rp, Rq') 

II {biUageni(Pr, BankPid, RAcc, UAcc'), Bp' ,e) 

: noirans(UAcc) (35) 

where U” is U' together with inequations involving the fresh process identifier 
Bp' , and the fact that UAcc' ^ UAcc. This goal is handled by applying ProcCut 
to the parallel composition using noirans} UAcc) as the cut formula both to the 
left and to the right. The resulting goals are: 

U" ,not(coniains(RQ' , UAcc)) h 

{ UserPid\{contract_ok , Bp'}, rm{Rp, BankPid, RAcc) . . . , Rp, Rq') 

: noirans ( UAcc) (36) 

U" h {hillageni{Pr , BankPid , RAcc, UAcc'), Bp' ,e) : noirans( UAcc) (37) 
U",S 3 : noirans ( U Acc), S 4 : noirans( UAcc) h S 3 || S 4 : noirans( UAcc) (38) 
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Goal (37) is easy to prove, since no new processes are created (proof sketch 
omitted). For goal (36) we have to show not( contains ({coniraci_ok , Bp}, UAcc)), 
since this is the value the resource manager will send to pid UserPid. The prop- 
erty is clearly true since Bp is a fresh pid. The resulting goal, after a simple step 
where the resulting sequence is reduced, becomes 

r" ,not(coniains(RQ' , UAcc)) h (^rm{RL, BankPid , RAcc), Rp, Rq') 

: noirans( UAcc) (39) 

This goal can be discharged against the leftmost conjunct of (30). Thus only 
goals (31) and (38) remain. These types of goals are handled in a uniform and 
regular way, using applications of BoxParl and BoxPar2, repeated use of boolean 
reasoning, the UnfR and UnfL rules, and discharging against previously seen goals 
(details omitted). 

8 Concluding Remarks 

We have introduced a specihcation logic and proof system for the verihcation of 
programs in a core fragment of Erlang, and illustrated its application on a small, 
but quite delicate, agent-based example. Our approach is quite general both re- 
garding the kinds of languages and models that can be addressed, and the kinds 
of assertions that can be formulated. For instance we are not restricted, as in 
many other approaches to compositional verihcation, to linear-time logic, neither 
does the proof system rely on auxiliary features like history or prophecy vari- 
ables. In addition our approach permits the treatment of programming language 
constructs such as dynamic process creation, non-tail recursion and inductive 
data type dehnitions in a uniform way, via a powerful rule of discharge. 

An important feature of our approach is the use of hxed points to describe 
recursively the hue structure of computation trees, and to use these recursive 
descriptions to decompose properties according to system structure. No hxed 
vocabulary of temporal connectives such as those of LTL, CTL, or CTL* would 
permit a similarly general decomposition. The proof-theoretical setting given 
here represents a substantial advance on the initial work for CCS reported in 
[Dam98]. That work suffered from a number of shortcomings which we think 
have now been resolved in a satisfactory manner. This concerns: 

1. The account of discharge in [Dam98] used an indirect approach, tracking and 
indexing hxed point unfoldings in a very syntactical and opaque manner. The 
present approach, using explicit ordinal annotations, is arguably far simpler, 
more intuitive, and semantically clearer. 

2. The sequent format used in [Dam98] was more restrictive than the one used 
here, in effect preventing contraction, affecting proof power very severely, 
theoretically as well as in practice. 

3. The discharge condition of [Dam98] required much more rigid relationships 
between the structure of discharged nodes and the internal nodes motivating 
their discharge. In effect it was required that all information be completely 
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cyclic in a pointwise manner. But many examples are extremely cumbersome, 
if not outright impossible, to force into such a framework. 

The drawback, if any, of the approach used here is the explicit use of ordinals. 
However, in an implementation of this proof system, users need rarely, if ever, be 
directly exposed to ordinals. Ordinal annotations can be automatically synthe- 
sised, and only in very special circumstances do we envisage ordinal information 
being passed explicitly to users for proof debugging. 

Several important lessons were learned in the process of doing proofs like 
the billing agent example. We have already mentioned the need for more flexi- 
ble sequent formats and discharge conditions. Practical proofs tend to get very 
large. Without support for reducing duplication of proof nodes the proof exam- 
ple outlined for the billing agent has in the range of 10®-10® proof tree nodes. 
Just by avoiding proof node duplication this Rgure can be brought down very 
substantially, for the billing agent example by roughly a factor of 15. But in fact 
very few steps in the proof convey information which is really interesting. These 
are: 

1. Points where a process cut need to be applied, to initiate induction in system 
state structure. 

2. Points at which some other symbolic or inductive argument needs to be done, 
to handle e.g. induction in the message queue structure. 

3. Choice points which we may want to return to later, for backtracking. 

4. Points which we expect to want to discharge against in the future. 

One can easily envisage other proof elaboration steps being automated, and 
eliminated from view to a very large extent, perhaps using a selection of problem- 
dependent proof tactics. However, it is important to realise that, in contrast to 
mainstream proof editors such as HOL or PVS, in this some explicit support for 
managing proof node histories is essential for efficiency. 

To investigate these issues, and to begin doing real application studies, we 
are currently building a prototype proof checking tool that can handle programs 
of a moderate size such as the billing agent example. Some support for automa- 
tion of proof steps along the above lines already exists (e.g. for some model 
checking analyses), but we also need to identify other classes of sequents that 
can be solved algorithmically. Other ongoing work focuses on integrating the 
operational semantics of Erlang more tightly with the proof systems (along the 
lines of [Sim95]) and to improve the handling of process identifier scoping (but 
see [AD96] for an approach to this in the context of the 7r-calculus). 
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1 Introduction 

This paper presents a reference semantics for a verification tool currently under 
development allowing to verify temporal properties of embedded control sys- 
tems modelled using the StateMate system. The semantics reported differs 
from others reported in the literature [24] by faithfully modelling the semantics 
as supported in the StateMate simulation tool. It differs from the recent paper 
by Harel and Naamad [8] by providing a compositional semantics, a prerequisite 
for the support of compositional verification methods, and by the degree of math- 
ematical rigour. We use a variant of synchronous transition systems introduced 
by Manna and Pnueli [18] as base model for our semantics. 

The StateMate modelling language constructs covered in this paper are Ac- 
tivity charts, modelling the functional decomposition of a design into subunits 
called activities as well as the information flow between these, and Statecharts, 
modelling reactive behaviour using the well established approach of hierarchi- 
cally organized state-machines. We strive for a verification approach which is 
compositional w.r.t. the decomposition of systems into subsystems. This will 
allow activities of “reasonable” complexity to be verified using symbolic model 
checking [5,4, 19]. Larger activities will be verified on the basis of proof-systems 
relating properties of individual activities to properties of compound activities, 
using the well known assumption commitment paradigm [1,21, 15]. A key topic 
for this paper is the construction of so called compositional models, which are 
“rich enough” to model the StateMate parallel composition by intersection 
of the infinite traces generated by the components of the parallel composition. 
Roughly, compositional models have to provide room for padding arbitrary (but 
still “legal”) environment interactions into computations of a component. Al- 
ternatively, the construction of compositional models can be phrased as a re- 
quirement on the model to support a sufficiently rich class of observables for 
assumption-commitment style reasoning to be complete. In this sense, this paper 
derives the set of atomic propositions included as observables in the assumption- 
commitment style temporal logic supported by the verification tool. 

The richness of the StateMate modelling languages forbids a complete 
treatment within such a formal semantics. While [8] elaborate in a detailed 
fashion the construction of compound transitions from transition segments, we 
take this as given in this paper. We also abstract from the concrete syntax of 
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action annotations, but keep them rich enough to show how all the associated 
intricacies can be handled formally. 

Following these disclaimers, we now elaborate those aspects we do consider 
to be central. 

This paper focuses on the so-called asynchronous semantics or super-step se- 
mantics supported by the StateMate simulation tool. Intuitively, a super-step 
consists of a (possibly unbounded) chain of reactions (called steps) of the system 
under development (henceforth abbreviated SUD) to an external stimulus. Ac- 
tivities of the SUD perform steps in synchrony: at a step-boundary, a maximal 
conflict-free set of enabled transitions is selected based on events generated in 
the previous step and valuations of (shared and local) variables and conditions, 
leading to a new valuation and a new set of generated events visible first after 
completion of the step. Four issues deserve attention already in this introduction. 

— Steps may diverge due to the presence of while-loops within action annota- 
tions; our language reflects this by allowing not only event generation and 
assignments, but also divergence as effect of executing an action. 

— The super-step semantics distinguishes between events generated by the en- 
vironment of the SUD, and events generated locally. While all events persist 
for one step only^ , external events are only consulted at the first step and 
are communicated to the environment of the SUD first after completion of 
a super-step. Events generated internally by the SUD will be sensed in the 
next step. Indeed the distinction between externally and locally generated 
events is paramount for the definition of a super-step: it terminates, if no 
further steps can be taken on the basis of presence or absence of locally gen- 
erated events. We pick up this in the formal development by distinguishing 
slow events (from the environment of the SUD) from fast events (generated 
locally). Note that a compositional semantics of an activity will have to ad- 
dress events generated outside from the considered activity, but within the 
SUD (a fast event) different from one that is generated not only outside the 
considered activity, but also outside the SUD (a slow event). 

— StateMate supports the concept of data items, which subsumes the notion 
of variables, in particular retaining their value over step-boundaries even if 
unchanged. Based on scoping rules (and actual usage detected at compile 
time), variables can be local (to an activity) or shared. In this paper we 
abstract from the concrete syntax of declarations and replace this by a clas- 
sification of variables as local and shared. Shared variables are assumed to 
have usage annotations as in, out, or inout, and are for reasons explained 
above additionally labelled as slow or fast. Clearly, slow variables may only 
change at super-step-boundaries, while fast variables may change from step 
to step. A key aspect of this paper is the compositional treatment of shared 
variables, allowing interferences between a locally computed value and the 
value suggested by the environment of an activity. 



^ More precisely, externally generated events persist until the completion of the first 
step in the subsequent super-step. 
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— StateMate supports a discrete simulation time, subsequently referred to 
simply as “the clock”. In the asynchronous execution mode, the clock is 
only incremented at super-step boundaries (which requires global agree- 
ment between all activities of the SUD upon termination). In our model, 
which in contrast to a simulation tool clearly cannot allow interactions by 
user-commands (such as GO-ADVANCE or GO-NEXT) to prescribe how time is 
advanced, we increment time at super-step boundaries to the next relevant 
clock tick, determined by counters handling time-outs and scheduled actions. 
Again a key emphasis of this paper lies in the compositional treatment of 
real-time aspects of StateMate designs. The timing-model chosen classi- 
fies StateMate as a synchronous language [2]: super-steps are executed 
infinitely fast (in the discrete time scale in fact in zero-time) obeying the 
non-zeno property, since the clock will always be incremented at least by 
one time-unit at super-step boundaries. 

The paper is organized as follows. Chapter 2 introduces the semantical model 
of synchronous transition systems and their runs. The semantics of StateMate 
will be given in terms of this model. Chapter 3 details the abstract syntax for 
the StateMate subset treated in this paper and defines the set of observables 
supported for a StateMate activity. It also collects the standard functions 
to navigate in the state-hierarchy as well as the concept of orthogonality of 
transitions. Chapter 4 handles the construction and execution of a single step 
for a single statechart, which is extended to super-steps in Chapter 5. Finally, 
Chapter 6 deals with the semantics of activity charts. 

2 Synchronous Transition Systems 

The semantics of statecharts will be given in terms of synchronous transition sys- 
tems. We introduce a slight variant called compositional synchronous transition 
systems(CSTS), which forms the basic for compositional reasoning. 

A transition system is given by a set of system states and a set of transitions 
between system states. Instead of giving an explicit representations of a transi- 
tion system we will use symbolic representations given by variable assignments 
which may be defined by formulae. 

Given a (typed) set V of variables and a (typed) data domain V, a valuation^ 
w.r.t. G is a type preserving mapping a : V ^ V. We will use S{V) to denote 
the set of all valuations over the variables G. If G is obvious from the context we 
will use the notation S instead of S{V). Given a subset V of V the restriction 
of a valuation a € S{V) to V , denoted by <t|^, , is a valuation of S{V) given 

by 

<7\^y, : V' D : n HA <j(v) 

^ In the context of transition systems, a valuation is usually called a state. But, to 
distinguish between a state of a statechart and a state of a transition system we call 
the latter one a valuation. 
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A transition system 

$ = {v,e,p) 

is given by a set V of variables, a set 0 C S(V) of initial valuations, and a 
transition relation p C S(V) x S(V). 

A run 7T of a transition system # is a finite or infinite sequence of valuations 



7T = (To — )• (Ti — )• (72 . . . 



with 

— (Jo G 0 (A run starts with an initial valuation.) 

— Vi G N : ((Tj, (Tj-i-i) G p (Successor system states are given by the transition 
relation.) 

The i-th valuation in a run tt is also denoted by 7r(i). An infinite run is also 
called a eomputation. 

For the transition relation p we also use the notation a ^ a' or a -^p a' to 
denote that {o,a') G p. and denote the transitive, resp. transitive and 
reflexive, closure of 



reaehable{(j) := {o' \ a -^* a'} 
is the set of valuations reachable from a and 

reaehable{$) := [J reaehable(a) 

is the set of reachable valuations of a transition system #. 

We denote by run{^) the set of all runs and by Comp{^) the set of all 
computations of the transition system #, i.e. 

run(<P) = {tt I TT run of 
Comp{^) = {tt I TT computation of . 

A transition system # is called eonsistent if Comp{^) ^ 0, i.e. if there is 
at least one computation. # is called viable if every run tt can be extended to 
a computation tt'. Hence a system is viable if every reachable valuation has at 
least one successor valuation. 

2.1 Compositional Synchronous Transition Systems 

In this general view there is no distinction between internal, external or shared 
variables. Given a set of externally visible variables we can specify the observable 
behaviour of a transition system by restricting its computations to the external 
visible variables. The distinction between externally observable and local vari- 
ables is needed to describe the composition of transition systems. 

Given a transition system # and & set E C V of externally observable vari- 
ables, a traee over E is an infinite sequence v of valuations v{i) G E{E) such 




190 W. Damm, B. Josko, H. Hungar, and A. Pnueli 

that V can be extended to a computation tt of I.e. v : N ^ E ^ V is a trace 
of # iff there exists a computation tt of # s.t. Trj^. = v, i.e. Tr{i){v) = v{i){v) for 
alH e N and v £ E. We define the set of traces w.r.t. E by 

I 3 computation tt s.t. 7t|^ = v} . 

A transition system with a distinguished set of externally visible variables, 

<P = {v,e,p,E), 

will be called a compositional synchronous transition system (CSTS). The vari- 
ables of y \ i? are considered to be local, hence when composing two systems we 
assume that these internal variables are disjoint. This can always be achieved 
by renaming. Hence, assuming that the local variables of two transition systems 
are disjoint we define the composition by the intersection of the given transition 
systems. 

Given two systems = {V^ ,0^ , ,E^) and #2 = (G^, 0^, with 

{V^ \E^)C]V‘^ = % and \ E"^) n = 0 we define their parallel composition 

by # = (V,0,p,E) where 

- y = uy2 

- E = E'^ U E"^ 

- 0 = {cr e E{V) I a\y^ G 0i and a\y^ G 0^} 

~ P Q X is given by 

(cr,cr') G p iff {a\y^ ,a'\y^ ) G p^ and {a\y^ ,a'\y^ ) G p^ 

The composition will be denoted by # 1 1|#2- If {V^ or 

are not empty we will first rename the variables in {V^ \E^) and (V‘^\E‘^) before 
applying the composition. 

This composition does in general not preserve viability and consistency. It 
may be the case that both, #1 and #2 are viable (consistent) but the composi- 
tion is not. Observe that e.g. 0 may be empty even if both 0^ and 0^ are not 
empty. Or, one transition system may require that a valuation with u = 1 has to 
be followed by a valuation with v = 2 and the other system may demand that 
a valuation with u = 1 is followed by a valuation with v = 3. Hence a system 
state with u = 1 reached in the composed system will have no successor. In 
the modelling of statecharts we will not have such contradictory requirements in 
components. Our semantics will not introduce deadlocks in a composed system 
when there is no corresponding deadlock in one component. To achieve this, the 
semantics of one component will contain all observable behaviour of its environ- 
ment. Semantical models satisfying this property are called compositional. 

3 STATEMATE Designs: Key Concepts 

This section introduces the abstract syntax for the sublanguage of statecharts 
considered in this paper. We first describe the state-based concepts of state- 
charts, then we will discuss the data concepts including events. Finally the exe- 
cution concepts are given. 
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3.1 State-based Concepts 

The state-oriented hierarchical modelling style of statecharts rests on the defini- 
tion of a hierarchically structured set of states, inducing a child relation between 
certain states. States can be either Basic, Or, or And states. Clearly only Basic 
states have no children. To be in an Or state means to be in exactly one of its 
children. The children of an And state constitute its components. To be in an 
And state means to be in all its components. We denote the set of states of SC 
by states(SC). It comes equipped with a child function 

child : states{SC) ^ , 



a mode function 



mode : states(SC) {Basic, Or, And} , 

and a function designating for each OR-state one of its children as the default 
child, which is entered, whenever the OR-state itself is entered: 

default : js | mode(s) = Or} states(SC) . 

To be well-defined, such a hierarchical set of states, states(SC), has to be 
a finite tree with a distinguished root state root with mode(roof) = Or^. The 
function child gives the set of successors of a node in the tree. 

If a state s is a substate of s', i.e. s € child(s'), the state s' is also called the 
father state of s, written as father(s). 

The depth of a state w.r.t. the state hierarchy is inductively defined by 

{ 0 if s = root 

depth{father{s)) + 1 otherwise 

and the depth of a statechart SC is given by the maximal nesting of states: 
depth(SC) := m&x{depth(s) \ s € states(SC)} . 

The function child defines a partial ordering on the set of states: 
s < s 

s e child(s') then s' < s 
s < s' , and s' < s" then s < s" 
s < s' iff s ^ s' and s < s' . 

The dynamic behaviour of statecharts stems from firing transitions or exe- 
cuting static reactions associated with states. We discuss transitions first. 

The elementary concept of a transition between states has been elaborated to 
a complex object in the statechart context. We discuss below some of the added 
complexity, before offering the abstract syntax for the chosen sublanguage. 

® In StateMate the root need not be an OR-state. But in that case the simulator will 
introduce an additional top state of mode Or. 
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— intra-level transitions 

Statecharts allow transitions to exit and enter multiple levels of the state 
hierarchy, requiring a precise analysis as to which states remain active and 
which are exited or entered. 

— multiple sourees and targets 

This analysis is further complicated by allowing multiple sources and targets, 
obeying certain well-formedness properties formalized below. 

— eonneetors and transition segments 

In the graphical representation, a transition can be split into several segments 
linked via eonneetors. Each segment can have separate firing conditions, in- 
ducing a non-trivial analysis when constructing eompound transitions out of 
transition segments. In this paper, we assume that this analysis has been car- 
ried out, and only retain the concept of history and termination connectors 
discussed below. 

— history eonneetors 

Among the allowed targets of a transition are history eonneetors, which come 
in two versions. Shallow history connectors (hence referred to simply as “his- 
tory connectors”) memorize the unique child of an Or state active when last 
exiting this Or state. When entering an Or state with a history connector, 
the child entered is given by the substate stored in the history connector, 
rather than the default child. Deep history eonneetors not only memorize 
the previously active child of the associated Or state, but the complete 
state eonfiguration below this state (see the following section for a formal 
definition of the intuitive concept of state configuration) . Hence when enter- 
ing an Or state s, the descendants to be activated are completely retrieved 
from the current value of the deep history connector. We will discuss below 
implicit events associated with history connectors. 

— termination eonneetors 

Among the allowed targets of transitions are termination eonneetors, which 
when entered cause the activity associated with SC to become inaetive and 
emit the event stopped(A) after completing the current step. 



Additional concepts as the labelling of transitions with guards and actions 
will be discussed in Section 3.3. We now formalize the above concepts. 



Conneetors. We assume disjoint sets Heonn{SC), Dheonn{SC), and Teonn{SC) 
of history connectors, deep history connectors and termination connectors, which 
jointly define the set eonn{SC) of connectors of SC. Recall that connectors are 
allowed to occur as targets of transitions. For each connector, there is a unique 
OR-state with which it is associated via the function 



state : eonn(SC) {s G states(SC) \ mode(s) = Or} . 
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Moreover, each OR-state is allowed to have at most one history and deep 
history connector"^. We will sometimes make use of the inverse (partial) functions 

hist : {s e states(SC) \ mode(s) = Or} Hconn(SC) 

dhist : {s € states(SC) \ mode(s) = Or) Dhconn(SC) . 

Transitions. We assume a set trans(SC) of transition names. This comes equipped 
with a set of functions defining souree{s) and target{s) associated with a transi- 
tion. Sources and targets of a transition have to obey well-formedness restrictions 
defined below. 



souree : trans{SC) ^ 

defines for a transition t a nonempty set of source states. 
target-. trans(SC) ^ 

defines for t a non-empty set of target states or connectors. 



Next we will define a collection of auxiliary functions which will be used 
to define well-formedness conditions on statecharts and which are necessary to 
define the effect of firing a transition. We also introduce the concept of eonfig- 
urations describing maximal subset of states allowed to be concurrently active. 
We will first define the smallest region in which changes, due to the execution 
of a transition, may occur. 

The least eommon aneestor lea(S) of a non-empty set of states defines the 
closest state which subsumes all states of S. As the root is an ancestor of every 
state, lea{S) will exist for every subset S of states. It is defined by 



lea{S) < S {lea{S) is an ancestor of every state of S) and 
Vs G states(SC) with s < S : s < lea{S) (lea{S) is minimal) . 

The least eommon or- aneestor lea'^(S) of a non-empty set of states defines 
the smallest OR-state which subsumes all states of S and is not contained in S 
itself. If the least common ancestor is an OR-state not contained in S this is also 
the least common OR-ancestor, otherwise, we pick the closest OR-state above 
the least common ancestor. As we require that the root is an OR-state, the least 
common OR-ancestor exists for every subset of states not containing the root. 
If the root is contained in S the root will also be the least common OR-ancestor 
by definition. Hence the least common OR-ancestor is defined by 

* The StateMate system allows more then one (deep) history connector for one OR- 
state. But this can be seen as syntactical sugar. 
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root if root € S 

s if root ^ S and s < S and mode(s) = Or and 
Vs e states(SC) : mode(s) = Or and s < S 
s < s 

Two states s and s' are orthogonal, denoted by sTs', if they are in parallel 
states, i.e. they are not related w.r.t. the child* function and their common 
ancestor is an AND-state. 

sTs' iff s ^ s' and s' ^ s and mode{lca{{s , s' })) = And 

A set S of states is called orthogonal, denoted by T(5), if the states of S are 
pairwise orthogonal. 

A set of states S C states(SC) is called consistent, denoted by 1{S) iff every 
two states s, s' of 5 are either related by the child relation - s < s' or s' < s - 
or orthogonal. 

A state configuration is a maximal consistent set of states. 

The scope of a transition t, denoted by scope{t), is the smallest range which 
is affected by firing the transition t. It is the OR-state obtained as the /ca+ of the 
source and target states of the transition. As the target may also contain some 
connectors, we have to replace these connectors by the corresponding OR-state 
to compute the common ancestor. Let 

states : ^ : 5 U O 5 U {state{c) | c G O} 

then 

scope{t) := lca~^ (^source{t) U states{target{t))) . 

Given a consistent set S C states(SC) the default completion dcompl(S) is 
the smallest set C such that 

1 . sec, 

2. s G G and s ^ root then also father{s) G C, 

3. s £ C and mode{s) = Or and childfi'{s) fl 5 = 0 then defaults) G C, 

4. s G G and models) = And then child{s) C G. 

The completion of a consistent set of states w.r.t. history connectors will be 
defined in Section 4. 

Two transitions are consistent if they are active in two orthogonal regions, 
i.e. if their scopes are orthogonal. 

i(ti,t 2 ) iff scope(ti)J-scope(t 2 ) 

This notion can be extended to a set of transitions. A set T of transitions is 
consistent, denoted by J,(T) iff the transitions of T are pairwise consistent. 



lca+{S) := 
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If a set of possible executable transitions is not consistent we will use a 
priority relation to select a consistent subset. The priority of a transition is 
given by the distance of its scope from the root: 

prio : T N 

t HA depth(SC) ■^depth{scope{t)) . 

A statechart SC is well-formed (wjf{SC)) iff for all transitions t we have 

— i.(source(t)) and i.(states(target(t)) 

— V s G source{t) : mode(s) = Or => Vs' : s < s' => s' ^ source{t) 

— V s G target{t) : models) = Or =1^ Vs' : s < s' => s' ^ target{t) 

— V/i G target(t) : mode(state(h)) = Or 

=1^ Vs' : state{h) < s' s' ^ target{t) 

— root ^ source{t) U target(t) 

In the rest of this paper we will only consider well-formed statecharts. 

3.2 The Data-Space of a Statechart 

The compositional models we generate distinguish between local variables, and 
external variables, which are observable for a designer analyzing the black-box 
behaviour of an activity. Only the observables enter the interface. 

The concept of an interface of an activity is both implicitly and explicitly 
available in the StateMate system. For each activity, a compile-time analysis 
is carried out to determine usage of data-items and events, leading to a classifi- 
cation into loeal and shared, which is further refined by attributes characterizing 
the direction of information flow. This interface concept is also explieitly defined 
for so-called generie aetivity eharts through corresponding data-dictionary en- 
tries. As explained in the introduction, our classification will additionally intro- 
duce attributes fast and slow, modeling the distinction between shared variables 
and/or events manipulated by the environment of the SUD, and those which are 
non-local to the activity, but under the control of the SUD. 

StateMate defines a number of implicitly generated events which e.g. allow 
to monitor accesses to shared variables or are related to the scheduling primitives 
used in a controlling statechart. We will below list those observables, which are 
implieitly assoeiated with an aetivity based on the explieitly deelared interfaee 
objeets. We will subsequently use the term “explicit” and “implicit” observables 
to distinguish if needed between these interface objects. 

In the context of a eompositional semanties, the interface of an activity must 
finally provide additional auxiliary observables, handling divergence, synchro- 
nization and incrementation of the clock. Whereas implicit observables are well- 
known to StateMate designers, auxiliary observables arise purely in the context 
of compositionality. Thus, they require additional documentation to make them 
accessible to StateMate designers willing to perform a compositional proof. 

For practical purposes it is important to note, that already the explieit inter- 
faee objeets determine completely the set of all observables: all activities share 
analogous sets of auxiliary observables, and implicit events are canonically asso- 
ciated with explicit observables. Our formal definition reflects this observation. 
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Events and Variables. The data space of a StateMate design may con- 
tain events, eonditions and variables. Events and conditions are boolean in na- 
ture, with different updating mechanisms. To simplify the exposition, we identify 
conditions with Boolean variables, and hence also disregard all implicit events 
associated with conditions. 

Both events and variables may be bidirectional in the syntax of StateMate. 
In our CSTS semantics, we introduce two CSTS variables e,„ and Cout for each 
bidirectional shared event, and similarly two variables for each shared variable. 
The CSTS will use these copies according to their implicit direction. 

The set of supported types SM_Types for variables is defined in e.g. [13]; it 
subsumes bits, bit-arrays, records, arrays, queues as well as user defined types. 
For the purpose of this paper, the exact type system is of no importance. Every 
type r is associated with a data domain 'D’". The disjoint union of all data 
domains will be denoted by V. 



The Interface of an Activity. As explained above, the interface consists of 
an explieit, an implieit and an auxiliary part. 

The Explieit Interfaee. With an activity A we assume as given its explieit inter- 
faee eJnt{A) which contains: 

— the set events(A) of events of A together with two functions 

dir : events{A) {in, out, inout] 

speed : events{A) {slow, fast} 

giving the direction of information flow as well as the distinction between 
events external to the SUD and local to the SUD; 

— the typed set var(A) of shared variables of A together with three functions 

type : var(A) SM_Types 

dir : var(A) {in, out, inout} 

speed : var(A) {slow, fast} 

giving type, direction and speed of shared variables. 

If the direction is in, the event, resp., variable, may be reacted upon, resp., read. 
If the direction is out, it may only be set. The use of objects of the direction 
inout is unrestricted. 

The Implieit Interfaee. We now turn to the implieit interfaee of an activity A, 
Lint(A) . The following reflects the subset supported in the verification environ- 
ment under construction, which slightly deviates from those defined in State- 
Mate in order to support compositional reasoning. 
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Shared Variables. For each variable v of direction inout in the external interface, 
we assume that events(A) contains the following events: 

written_out(v) event out speed(v) activity A writes on v 

written jn(v) event in speed(v) environment of A writes on v 

changed_out(v) event out speed{v) activity A changes value of v 

changed Jn(v) event in speed(v) environment of A changes 

value of V 

read_out(v) event out speed(v) activity A reads v 

readJn(v) event in speed(v) environment of A reads v 

If the direction is in, the events written_out(v) and changed_out(v) are omit- 
ted. If the direction is out, the event read_out(v) is missing. 

In this paper we do not handle the StateMate constructs write_data(v) 
and read_data(v) , but instead allow the above events to occur within actions. 

Seheduling Control. We assume that events{A) contains the following events 
controlling activation, suspension, and termination of activity A: 



st!(A) 


event 


in 


fast 


activates activity A 






started(A) 


event 


out 


fast 


reports, that activity 
been started 


A 


has 


sp!(A) 


event 


in 


fast 


terminates activity A 






stopped(A) 


event 


out 


fast 


reports, that activity 
been terminated 


A 


has 


sd!(A) 


event 


in 


fast 


suspends activity A 






rs!(A) 


event 


in 


fast 


resumes activity A 







We assume, that var(A) contains the following conditions reporting on the 
status of activity A: 

active (A) bool var out fast activity A is active 

hanging(A) bool var out fast activity A is suspended 

Note: If A itself is bound to a control statechart, events(A) will in 
particular contain events controlling its sibling activities, and sense con- 
ditions regarding their state contained in var(A). I.e. if A is a control 
activity with sibling activities Ai,. . . , A„ , then events(A) contains also 
the events st!{Ai), started{Ai), sp!{Ai), stopped(Ai), sd!{Ai), rs!{Ai), 
and var(A) contains also the conditions aetive(Ai) and hanging(Ai) for 
I < i < n. Though these events and conditions have a particular prag- 
matic, they can be treated uniformly as other events and variables of the 
interface of A in the formal definition of the semantics, and thus do not 
require an additional syntactic category. 

Auxiliary Interfaee. We finally add within the auxiliary interfaee of A those 
observables required to deal in a compositional way with divergence within a 
step, synchronization at super-step boundaries, and incrementation of the clock. 
All of these are declared as direeted variables. Auxiliary variables and events are 
not allowed to occur within guards or actions. 
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Step-divergence. 



step_div(A) 


event 


out 


fast 


false iff A is willing to initiate 
a step 


step_div_env(A) 


event 


in 


fast 


false iff environment of A is 
willing to initiate a step 


Synchronisation at Super-step Boundaries. 




stable (A) 


event 


out 


fast 


true iff A is willing to initiate 
a super-step 


stable_env(A) 


event 


in 


fast 


true iff the environment of A 
is willing to initiate a super- 
step 


Incrementing the Clock. 








time 


event 


in 


slow 


signals the next clock tick. 



The Full Interface. The full interface provides the external variables of our 
CSTS semantics of an activity A. It deviates from the union of the three parts of 
the interface defined above in that it splits the bidirectional variables and events 
occurring the external StateMate interface. 

Given an external interface eJnt(A), we denote by fulLint(A) the interface 
that contains 

— all directed events and variables of eJnt{A) 

— all directed copies of bidirectional events and variables in eJnt{A) 

— all implicit interface objects associated with eJnt{A) 

— all auxiliary interface objects of A. 

We will show in Chapter 6, that a construction of the CSTS providing the 
full interface as externally visible variables is rich enough to capture parallel 
composition of traces of activities A and B through the synchronized product of 
the associated CSTSs. Additional components in the product will take care of 
the issues connected to the updating of shared variables and events which have 
been replaced by directed copies. In particular, these components will permit us 
to retrieve the actual StateMate values from the values of the copies. 

The Variables of a Statechart. A statechart SC inherits the external and 
full interface of the activity A it defines. In the sequel, we assume a fixed full 
interface of directed events events(A) and variables var(A) as given. 

A statechart SC extends the state-space by defining local events and local 
variables, which we assume to be disjoint from events and variables of the full 
interface of SC. In the formal definition we extend the codomain of dir by 
allowing as additional attribute the “direction” local, and fix this as “direction” 
for all local objects. By definition, the speed of all local objects is fast. Types 
are assigned to local variables via a function type. We denote local events and 
variables of SC by events(SC) and var{SC), respectively. 
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Shared Variables. For each local variable v we assume that events(SC) contains 
the following events: 



written(v) 


event 


local 


fast 


SC writes on v 


read(v) 


event 


local 


fast 


SC reads v 


changed(v) 


event 


local 


fast 


SC changes value of v 



States. For each state s we have the following implicit events and conditions: 
in(s) bool var local fast SC is in state s 

entered(s) event local fast SC has entered state s 

exited(s) event local fast SC has exited state s 

History. History connectors come equipped with implicitly defined events allow- 
ing to clear the stored state (resp. configuration): if state{h) = s then 
hc!(s) event local fast clears s history connector 

dc!(s) event local fast clears s deep history connec- 

tor 

Again we assume such implicit events to be contained in events{SC). 

We denote by events{SC, A) the union of all local events of SC and events 
in the full interface of the associated activity, and similarly abbreviate all local 
and interface variables by var{SC,A). 



3.3 Execution Concepts 

In addition to the elementary concepts of a transition discussed in Section 3.1 
transitions are also labelled with guards to control the execution and actions to 
be performed on executing a transition. We first discuss these concepts infor- 
mally: 

— eomplex guards 

A transition may only be fired, if its guard evaluates to true. StateMate’s 
syntax views guards as consisting of a pair of predicates, evaluating presence 
or absence of events, and the current valuation of variables. Among the event- 
related part are so called time-out events discussed below. For the purpose of 
this paper, a guard is simply a Boolean expression over events and variables, 
where we view events as (special) variables of type Boolean and identify 
e = true with e being present. 

— eomplex aetions 

If a transition is fired, its aetion annotation causes events to be generated 
and variables to obtain new values. In our concrete syntax, the basic action e 
: = true (for an event e) stands for the generation of event e (again allowing 
a more unified semantical treatment by viewing events as special Boolean 
variables which are automatically reset and which the user can only choose to 
set to true). In general, assignments are provided as basic actions to update 
variables. Basic actions can be combined by the ; -operator (denoting parallel 
rather than sequential composition, but c.f. the handling of eontext variables 
below), a variant of if-then-else, and iteration. For the purpose of this paper. 
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we replace iteration by just one new basic action div modelling divergence, 
and allow as action annotations a ;-list of guarded basic actions. 

We delay a discussion of scheduled actions to the paragraph addressing the 
real-time programming features of StateMate. 

StateMate evaluates all expressions in guards and assignments with re- 
spect to a valuation of events and variables prior to firing any transition in 
a new step. 

However, StateMate also includes a class of variables, called context vari- 
ables, which are evaluated with respect to the value determined by the latest 
assignment to this variable. Here, latest refers to the order of actions in the 
;-list, hence giving this operator some sequential flavour after all. To distin- 
guish these variables from ordinary variables, occurrences of these variables 
are decorated by $. In a StateMate design, context variables are usually 
used as index variables in loops. We use $var{SC) to refer to the context 
variables of the statechart SC. 

— real-time constructs 

StateMate provides two ways of relating events and actions to the clock 
modelling real-time (c.f. chapter 1). 

• Transitions can be triggered, if a time-out period for a monitored event e 
has expired. Syntactically, StateMate allows as guards time-out events 
of the form tm(e,texp) for events e and integer expressions texp. In 
StateMate, texp counts in time units which are user-definable for each 
activity; in order not to burden the exposition with conversions between 
time-scales, we interpret texp as denoting multiples of the real-time clock 
associated the SUD. In our paper, time-outs can only be monitored for 
local events and incoming external events. 

Time-out events induce setting of a (simulator internal) timer, which is 
reset whenever the monitored event occurs. If the timer expires, a (local 
fast) event is generated signalling the time-out, which is then handled 
uniformly as other local fast events. 

• Actions can be scheduled to occur after a user specified delay. Syntacti- 
cally, StateMate allows actions of the form sc\{a,texp), where a is an 
action and texp an expression of type integer. We again interpret texp 
as counting time units of the underlying real-time clock. 

It is important to remember, that the “real-time clock” of a StateMate 
model is NOT related to the physical clock of a target architecture of the 
embedded control application. A good interpretation of the above real- 
time constructs is that of imposing constraints on the actual (physical) 
execution time. Suppose, that the user defines the (fictitious) real-time 
clock of its StateMate model to run with a 1 ms resolution, and poses 
as guard a time-out on some event e after 5 time-units. If all code- 
segments to be executed between generation of event e and checking 
for the time-out event can be executed on the target architecture within 
5tos, the designer’s intuition about posing the time-out in the model will 
match what happens when the generated code runs on the target. The 
validation of compliance of the target code w.r.t. such timing constraints 
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is not addressed in this paper. Instead, “real-time verification” as used in 
this paper refers to the formal proof, that properties expressed in terms 
of the fictitious real-time clock are satisfied in a StateMate model 
operating w.r.t. this fictitious real-time clock. 

Guards and Expressions. Recall that we view events e € events(SC, A) as 
a boolean variable (with restricted user rights). The set of typed expressions 
over events{SC, A) and var(SC, A), Exp(events(SC, A), var(SC, A)) is defined 
as usual, using the predefined operators as defined in the StateMate reference 
manual, with the additional restriction that expressions do not contain occur- 
rences of out events or variables (these may only be set but never tested by SC). 
We just write Exp whenever other parameters are clear from the context, and 
to designate expressions of type type, abbreviating Exp^°°^ by Bexp, 
and Exp^^* by Texp whenever expressions are used to express delays, such as 
the expression texp within time-outs and scheduled actions. We use exp (resp. 
b) as meta-variable for (boolean) expressions. 

Guards are simply boolean expressions constructed over the sets events{SC, A), 
var{SC, A), and time-out events in the set Tevents{SC,A) defined inductively 
by 

e e events(SC, A) A dir(e) € {in, local} => tm(e,texp) € Tevents(SC, A) 
te e Tevents(SC, A) tm{te,texp) € Tevents(SC, A) 
te\,te2 G Tevents(SC, A) U {e | e G events(SC, A) A dir(e) G {in, local} } 

=> tm(not tei,texp),tm(tei and tc2, texp), tm{te\ or te2,texp) 

G Tevents(SC, A) . 

Note, that time-outs are allowed to be nested. We require, that the delay 
expression texp always evaluates to a positive delay greater than zero. Further- 
more, we require that the delay expressions are constants at compile time. We 
refer by Tevents(g) to the set of time-out events occurring in a guard g. 

The set of actions over events{SC, A) and var{SC, A), which will be denoted 
by Actions(events(SC, A), var(SC, A)) or simply Actions if the context is under- 
stood, is defined by 

e := true where e G Events, dir(e) ^ in 

V := exp where exp G Exp(var(SC, A))^^p^^A 

and V G var(SC,A) \ $var(SC), 
dir(v) 7^ in 

$v := exp where exp G Exp(var(SC, A))^^p^^A 

and $v G $var(SC) 

div (divergence) 

if b then a else a’ fi whenever a, a' G Actions 
a ; a’ whenever a, a' G Actions 

sc! (a, texp) whenever a G Actions . 

Again, we require texp to evaluate to a positive integer at compile time. 
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Transition Labels and Static Reactions. We assume that the set of tran- 
sition names trans(SC) is associated with two additional functions defining the 
guards and actions of each transition: 



guard : trans(SC) Guards(SC, A) 

where Guards{SC, A) = 

Bexp{events{SC , A) U Tevents{SC , A) U var{SC,A)) 
defines for t the guard enabling firing of the transition. 

action : trans(SC) Actions(SC, A) 

where Actions(SC, A) = Actions(events(SC,A),var(SC,A)) 
defines for a transition t the action to be executed when t is fired. 

Statecharts allow as well to associate behaviour to states using the concept 
of static reactions: these consist in their most general form of so called reactions 
i.e. a set of pairs guard/action. We model this through the function 

sr : statesiSC) . 

Annotations to states controlling activation/termination of sibling activities 
such as within{s) (causing termination of the listed activities whenever exiting 
the state s) or throughout(s) (causing in addition activation of the listed activities 
when entering s) can be considered as syntactic sugar for actions to be associated 
with transitions exiting (resp. entering and exiting) state s using the class of 
scheduling events listed above, and are thus not considered explicitly in this 
paper. 

4 The Dynamic Behaviour of Statecharts I: What 
Happens in a Step? 

4.1 Introduction 

We split the discussion of the dynamic behaviour of statecharts into two chap- 
ters, roughly corresponding to the two modes of simulation supported by State- 
Mate. The current chapter focuses on the concept of a step of a statechart. On 
first sight, the concept is very simple: a step effects a transition from a given 
state-configuration and a given valuation of (explicit and implicit) variables and 
events when firing a maximal conflict free set of enabled transitions to a new 
state-configuration and a new valuation of variables and events. This simple con- 
cept becomes complex due to the extension from the simple-minded concept of 
transitions in finite automata to the full-fledged graphical real-time program- 
ming language called statecharts. 

Our approach to tackle this complexity is an incremental presentation of the 
compositional synchronous transition system associated with a given statechart 
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SC. In particular, the current chapter disregards all issues related to super- 
steps, incrementing the clock and induced time-bookkeeping issues. Within the 
chapter, we consider a base model first, which disregards time-outs, scheduled 
actions, history connectors, and scheduling issues, and introduce these in the 
above order in subsequent sections. 



4.2 The Base Model 

This section provides a compositional synchronous transition system for a given 
statechart SC. In particular, the model allows handling of shared variables and 
bi-directional events, based on the full interface of the statechart as defined in 
Section 3.2, and the extensions with local explicit and implicit variables and 
events. 

We will denote the CSTS #base = (Vbase, ©base, Phase, -^base) associated with 
SC by 

f75T5I5©]base 

and will define its constituents in the following subsections. 



The System Variables. External variables of #base are exactly those defined 
by the full interface of the activity A whose behaviour is defined by SC 

-Ebase = fulLint(A) 

where for the purpose of this section we ignore all items in the full interface re- 
lated to timing, super-step synchronization and stabilization, as well as schedul- 
ing. To allow a uniform presentation of the semantics, we annotate all external 
out variables Vout by a prime as in primed variables may only be set but 
never tested by SC. 

hbase is the extension of Ebase by local system variables defined as union of 
the following: 

— a dedicated variable c of type state-eonf{SC) carrying the current state- 
configuration; 

— all local variables var{SC) up to conditions representing states such as in{s) 
as well as a copy var{SC)' = {v' \ v £ var{SC)} of these; these are needed 
to ensure, that variables in expressions as well as guards are evaluated w.r.t. 
the valuation of variables prior to updating a step: v' carries the value of v 
resulting from taking the step; note that an occurrence of a context variable 

will be evaluated w.r.t. the current value of $u'; 

— all local events events{SC) as well as a copy events{SCy of these, again 
allowing in guards to refer to events generated in the previous step using the 
unprimed version of events. 
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Semantics of Expressions, Guards, and Actions. Recall from Chapter 2 
that a valuation of #base is a type preserving mapping assigning values in a 
(typed) semantic domain V to the system variables. 

^ • hbase 4=^ T) 

This valuation extends to a semantics of typed expression \exp\ canonically; the 
only non-standard aspect concerns context-variables and conditions on state: 

J$u](T = <t($u') 
pn(s)](T = s e (t(c) 

The semantics of an action a in a valuation a, |a]<T, is defined canonically 
up to handling divergent actions and assignment, using the above expression 
semantics. 

Divergent actions set the step divergence flag step-div contained in the full in- 
terface to true, thus retaining totality of the valuation transformation associated 
with actions. 

|dw](T = <T[step_div(A)'/trMe] 

Assignment - whether to context variables or ordinary variables - just updates 
the primed copy of the variable, such as in 

:= exp\a = (r[$u'/[ea;p](T] . 



Selecting Steps and Their Eflfect on State Configurations. A transition 
t e trans(SC) is enabled in a, denoted by a |= en(t), iff its sources are contained 
in the current state configuration and its guard evaluates to true: 

<7 1= en(t) iff source{t) C <j{c) and \guard{t)\<j = true . 

The following algorithm computes in a top-down fashion a set Steps{a) of all 
maximal consistent subsets of transitions enabled in a valuation o. Taking the 
priority into account we can stop the algorithm in a branch when an enabled 
transition is found, as transitions in a deeper arena have lower priorities. 

Starting from the root we traverse through the state hierarchy following the 
given state configuration <t(c). We inductively define a set of steps relatively to 
a given state s € <t(c) i.e. we compute steps{a, s) € 2^ satisfying 

st G steps(a, s) => ^.st 
by induction on the depth of s. 

1. mode{s) = Basic: 
steps(a, s) = 0 

(A basic state has no inner transitions.) 

2. models) = And: 

steps(a, s) = {sti U . . . U | sti € steps(a, s,)} 
where {si , . . . , Sn} = child(s). 
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3. mode(s) = Or: 

Let T = {ti,. . . ,tk} = {t I scope(t) = s and a \= en(t)} 

(a) T = 0: 

let s' be the unique child of s in <t(c). 
steps(a,s) = steps(a,s') 

(b) T ^ 0: 

all transitions in T have the same priority and they are in conflict to 
each other. 

steps{a,s) = {{ti}, . . . , {tk}} 

The steps of a given configuration are then computed by: 

Steps(a) = steps(a, root) . 

For a given step st € Steps{a) we compute the sets 

exited{st) of states in a{c) exited when firing st, 
entered(st) of states in a(c) entered when firing st, and 
active(st) of states active before and after firing st 

by 

exited(st) := {s | € st with scope(t) < s} fl a(c) , 

active(st) := a(c) \ exited(st) , 

entered{st) := dcompl j active(st) U target{t) ] \ active(st) . 

V test / 

The Effect of Executing a Step. The diagram in Figure 1 summarizes our 
semantical treatment of steps. Annotations on transitions are elaborated below. 

Passing the Synchronization Barrier. A step is only initiated, if both the envi- 
ronment and the component are willing to initiate a new step. 

Step Selection. Based on the resulting valuation a of system variables, we com- 
pute the set Steps{a) of all maximally consistent sets of transitions enabled in o. 
If Steps(a) is empty, step-div{A)' remains false and we re-enter the synchroniza- 
tion barrier; otherwise, the resulting valuation will depend on the chosen step 
st e Steps{a). Based on the selected st, we can determine, which states remain 
active. For all such states, we add their static reactions when computing the new 
valuation of system variables. 

Evaluation Order. Since actions of transitions contained in st as well as those in 
static reactions may assign conflicting values to shared variables, non-determinism 
also arises from the order of evaluation of actions. In this semantics, we choose 
nondeterministically one serialization of all actions of transitions in st and the 
enabled static reactions. The verification tool will instead detect race conditions 
and report an error if races occur. 
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Fig. 1. Synchronization cycle 



Action Evaluation. Given an evaluation order, we compute a new valuation of 
primed variables using the action semantics of the selected sequential composi- 
tion of the involved actions. 

Implicit Events and Variables. We then update the primed copies of implicit 
variables and events induced from the previous computation. 

Update State Configuration. The system variable containing the state configu- 
ration is updated with the configuration closure of states entered when firing 
st. 

Making Effect of Step Visible. The initiation of a new step is prepared by copying 
values of primed system variables, which served to collect the effect of executing 
the previous step, into their unprimed version using the valuation transformation 



fast-COpy '. T/base 



fast-Copy{a){sv) = < 



a{sv') if sv e events{SC, A) U var{SC, A) 
and speed(sv) = fast 
and dir(sv) € {local, out} 



[ (t{sv) otherwise. 



Note, that this does not affect the valuation of fast external inputs. While 
in model generation we will only allocate unprimed copies of out variables for 
those, which occur within a changed test, in our semantics we simply copy the 
primed versions into unprimed versions for all out variables. 

Recall, that all fast events only survive one step. Hence, after copying an 
event generated in the last step to the unprimed variable, the primed version will 
be reset to false at the beginning of a step, using the valuation transformation 
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defined by 



fast-TCSCt . "^base 



( false 



fast-reset{a){sv) = < 



if sv = e' for e € events(SC, A) 
and speed(e) = fast 
and dir(e) € {local, out} 



[ (t{sv) otherwise. 



In particular, fast out events are reset in this initialization phase for the next 
step. 



Guessing Fast Inputs. Whenever SC has completed “its” part of a step, it guesses 
new values for all fast external system variables, including the step-flag of the 
environment and updates its fast out variables and events. 

We note, however, that the environment is not completely free in guessing 
values of inputs. Recall from Chapter 3, that bi-directional events and variables 
of the external interface of A are replaced by two directed copies, and that for 
each variable v events written-Out(v)' and writtenJn{v) as well as events moni- 
toring changes of v changed-Out(v)' resp. changedJn(v) have been introduced to 
give a compositional semantics to accesses to shared variables. We handle reso- 
lution of conflicting accesses to shared events and variables externally to the SC 
(through a “monitor activity” described in more detail in Chapter 6) . Resolving 
conflicts for events is simple: all subactivities of an activity chart indicate via 
their out copy of the event, whether the event was generated in this subactivity; 
it is generated in the step, if at least one subactivity has raised the out line of 
this event, hence shared events are handled by a ’’wired or”, propagated back to 
the subactivities through the in copy. For shared variables, the written-Out lines 
of all subactivities are resolved similarly, in particular setting the writtenJn line 
if at least one subactivity has written a value on the variable. The value written 
is offered on the copy of variable v to the monitor; if more than one writer 
exists, the monitor also propagates the value offered by the winning subactivity 
to all subactivities through the copy of v. 

For reasons of efficiency in model generation, the actual implementation 
treats shared variables slightly different: the writtenAn-Yme is only set, if a sibling 
activity writes on v, hence indicating, that the locally computed value is invalid. 
However, if writtenJn is not set, the locally computed value is valid, hence the 
propagation from Vout to the Vin copy has to be done within the model, by 
extending the copy valuation transformer defined below. 

Changed events are handled analogously to written events by the monitor. 

We formalize these remarks as invariants restricting values of guessed in- 
puts within the formal definition of the transition relation associated with the 
synchronization barrier. 

Consider a valuation a resulting from the execution of a previous step (we 
discuss conditions on the initial valuation in a subsequent subsection). We for- 
mally define the transition relation pbase modelling the effect of a step as the 
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product of transition relations corresponding to the different phases elaborated 
above: 



Pbase — Psynch ® Paction_evaluation_state ® Pcopy_reset ® Pguess_fast Jnputs 

of subrelations defined below. 

“ Psynch is just a partial identity on ii’base guaranteeing synchronization: 

O' Psynch O'' iff (T = (t' A a(step-div(A)) = a(step-div-env(A)) = false 
— 'We define the relation Pcopyj-eset on valuations in ii’base by 

O' Pcopy_reset O' iff 

a' = fast-res et(fast-Copy (a)) . 

New valuations computed at the current step are copied into unprimed vari- 
ables, and the primed versions of fast out and loeal events are reset. 

“ Pguess-fastJnputs guesses new values only for fast inputs, keeps slow out events 
and slow variables stable, and resets slow in events, since these only survive 
one step. Formally 



O' Pguess_fast_inputs O' iff 

• Vsn e var{SC) U events{SC) U var{SC)' U events{SC)' 

U {c, c'} U {e e events{A) \ dir(e) = out} 

U {n e var(A) \ speed(v) = slow V dir(v) = out} : 
a(sv) = a'(sv) 

• Ve e events{A) dir(e) = in A speed(e) = slow => cr'(e) = false 

• Ve e events{A) speed(e) = fast A dir(e) = inout A (r{eout) = true 

=> cr'(ein) = true 

• V n e var(A) speed(v) = fast A dir(v) = inout 

A a(written-in(v)) = false => o'' (vin) = o'(v'out) ■ 

- We define the relation Paction.evaiuation on valuations in i;base by 
O' Paction-evaluationstate O iff 

3 st e Steps(a) 3n€N3a = ai;... ;On €: Aetions(SC) 
{oi,... ,On} = aetion-set(st,a) 

A a' = update-iniplieits{st, [[a]o') . 

The resulting state is changed by evaluating the actions associated with all 
transitions of a chosen step and static reactions enabled in this step in some 
sequential order, yielding a new valuation |a]<T. In the above definition, we ab- 
breviated the set of actions from transitions in st as well as of enabled static 
reactions by 
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actions et{st, o') = [J action{t) 

tEst 

U {o' I 3 s e active(st) 3g €: Guards(SC, A) 

{g,a') G sr{s) A fgja = true} . 

This valuation is further transformed by generating all implicit events and 
setting implicit variables resulting from the evaluation of transitions in st and 
enabled static reactions, and by updating the state-configuration according to 
the step st selected and generating all implicit events associated with changing 
the state-configuration. Note that we can safely use the valuation |a]<T = a' 
rather than the predecessor valuation a, since the semantics of guards of transi- 
tions and static reactions and of expressions is by construction not affected from 
the evaluation of a. 

■We present now the formal definition of this auxiliary function, which takes as 
parameters a set of (maximal conflict free enabled) transitions st and a valuation 
o'step and updates this valuation by analyzing what implicits have to generated. 



updatc-impUcitstySt, <7 step) {sv) = 

" true if sv = written-Out(v)' for some external variable v 
and V G writeset{actionset{st, <7 step)) 

true if sv = changed-out(v)' for some external variable v 
and CTstepi'i^out) ^ ^stepi'^out) 

true if sv = read-Out(v)' for some external variable v 
and V G readset{actionset{st, (Tstep)) 
or (3t G trans(SC) source{t) C <Tstep(c) A 
V G reads et{guard{t))) 

or u G readset(g) for some guard g G Guards(SC, A) 
s.t. there exists s G active(st) and 
a' G Actions(SC, A) with (g,a') G sr(s) 

< 

true if sv = written(v)' for some local variable v 
and V G writeset{actionset{st, <7 step)) 

true if sv = changed(v)' for some local variable v 
and (Tstep(^'') 7 ^ CTstep(^') 

true if sv = read(v)' for some local variable v 
and V G readset{actionset{st, (Tstep)) 
or (3t G trans(SC) : source{t) C a(c) 

A u G reads et(guard(t))) 

or u G readset(g) for some guard g G Guards(SC, A) 

s.t. there existss G active{st) and 

a' G Actions(SC, A) with (g,a') G sr(s) 
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update-impUcits(st,astep)(sv) = (continued) 

active(st) if sv = c (state-configuration) 

Uentered(st) 

true if sv = exited(s)' and s € exited(st) 

true if sv = entered(s)' and s € entered(st) 

o'step(sv) otherwise 

Note, that also primed versions of slow events and variables are updated. 
However, they first become visible when copied into their unprimed version at 
superstep boundaries. 

Initial Valuation. An initial valuation of the base-transition system is a valu- 
ation (T satisfying the conjuncts of ©base defined below: 

— the initial valuation of c, the system variable maintaining the current state 
configuration, is simply the closure of the root-state of SC: 

a(c) = dcompl(root(SC)) 

— initially no event is present: 

(r(e'out) = false = cr(ein) for all fast inout events e 
cr(e') = false for all out events e 
a(e) = false for all fast in events e 
aie') = false = a(e) for all local events e 

Note, that this entails, that initially both SC as well as its environment are 
willing to initiate a step. Slow in events are not restricted. 

— all variables carry predefined default values: we assume for each type type in 
StateMate’s type system a default value G x>^vpe ^nd require 

^(''^out) = = (r(vin) = (p(vout) for all inout variables v 

a(v') = = o{v) for all out variables v 

a(v) = for all in variables v 

a(v') = = o(v) for all local variables v . 

Note that this valuation is consistent with all changed events being absent. 

4.3 Adding Time-outs and Scheduled Actions 

Introduction. Statecharts support two constructs to model the real-time be- 
haviour of the SUD. 
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Time-outs of the form tm(te,texp) allow to monitor time-periods elapsed 
since the last occurrence of the monitored event te. Intuitively, whenever the 
monitored event occurs, a timer associated with te is reset. If it is allowed to 
increment to the value denoted by texp, an interrupt is raised signalling that 
the provided time-period has expired. The simulator handles this by generating 
an event, which is included in the list of events generated in the step where the 
exception was raised. Since individual steps in the asynchronous semantics are 
executed in zero time, this timeout event is to be considered as being raised 
somewhere in the current super-step, at the value of the clock when initiating 
the current super-step, and hence is handled as a slow event. Since the interrupt 
raised is considered to be an event, it is natural to allow also such interrupts 
events to be modelled by time-outs, hence the provision for nested time-outs. 

Our semantics - and in fact also the model generated for verification - mod- 
els time-outs slightly different, though semantically equivalent. With each event 
te monitored by a time-out, we keep one counter, which is reset whenever te oc- 
curs. The counter is incremented whenever the clock advances, i.e. at super-step 
boundaries only, in the way described in detail in the chapter to come. All time- 
out expressions occurring in guards are evaluated with respect to this counter, 
hence comparing the current value of the counter with the value indicated by 
texp. Our mechanism of advancing the clock will guarantee, that we will always 
have super-steps initiated at exaetly the expiration time of a time-out. The se- 
mantics given below will hence evaluate such a time-out in a guard to true, if 
the value of the relevant counter equals the value allowed by the time-expression 
texp. 

As pointed out in the introduction, we assume in this paper that the time- 
unit of time-expressions coincides with clock ticks. 

Seheduled aetions of the form scl(a, texp) allow to trigger evaluation of action 
a after the delay specified by texp. For each action a occurring within a scheduled 
action, we will maintain one list of scheduled delay times for executing a. The 
evaluation of the above scheduled action will then update the delay-list associ- 
ated with a with the delay entry obtained by evaluating texp. This time, delays 
are decremented as the clock advances, i.e. at super-step boundaries. Again we 
will guarantee in Chapter 5, that the clock is never incremented beyond a rele- 
vant delay, hence there will always be a super-step initiated at exactly that point 
in time, when a delay expires. The scheduled action is then simply added to the 
list of actions evaluated in the first step of this super-step. 

The subsequent sections will only formalize those aspects of these constructs 
which are independent of advancement of the clock. 

We construct the CSTS #time = (Vtime, ©time, Aime, associated with 
SC by 

C5TO|5©ltime 

by defining the changes to the base model in the subsequent sections. 



The System Variables. We add to the set of system variables for each event 
te monitored in time-outs a local fast integer variable expire(te). Moreover, for 
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each action a occurring within a scheduled action a we associate a local fast 
variable schedule(a) of type set of integers. The set of external variables is not 
extended w.r.t. the base model. 

More formally, let 

Saetions(SC) = {a G Aetions(SC, A) \ a G aetion(trans(SC)) V 

3s e states(SC) 3g €: Guards(SC, A) (g,a) € sr(s)} 

then we define 



htime = hbase U {expire{te) \ te € Tevents(SC, A)} 
U {sehedule(a) \ a € Saetions(SC)} . 



Semantics of Expressions, Guards, and Actions. We extend the semantics 
of boolean expressions allowed as guards by defining 

ltm{te,texp)]a = true iff a(expire(te)) = Itexpja . 

We extend the semantics of actions to scheduled actions by defining 

lscl(a,texp)la = a[sehedule(a) /a(sehedule(a)) U {Itexpja}] . 

Note, that it is safe to perform the update directly on the local variable (rather 
than a primed copy) , because the value of the timer will first be tested at initi- 
ation time of the next super-step. 



The Effect of Executing a Step. When checking for enabledness of transi- 
tions and static reactions, we now take into account time-outs using the adapted 
semantic function for guards. Similarly, the adaption of the action semantics 
defined above already covers inserting future scheduling points for scheduled ac- 
tions appearing as annotation in fired transitions and enabled static reactions. 
The one issue still to be resolved in this chapter relates to resetting the timer 
for time-outs, whenever the monitored event occurs. 

Recall from Chapter 3, that the syntax of StateMate provides for nested 
time-outs, and allows boolean combinations of such nested time-outs and events 
to be monitored. While nested time-outs by construction will only be reset when 
the clock advances (and hence at super-step boundaries, see Section 5.4), we have 
to address in this section resetting of timers due to the occurrence of events which 
either were generated locally during the current step or provided as input when 
entering the step. 

We now formally define by induction on the monitored events te a func- 
tion reset-eond{te) which takes a valuation of system variables and determines, 
whether the reset condition for te has occurred. For local events, the reset con- 
dition is obvious: we simply check the (primed version of) for presence of the 
event. Now consider a timeout event of the form te' = tm{te,texp'), where 
te = tm{e,texp). We have to reset the time associated with te' whenever te oc- 
curs. Since in our semantics the occurrence of a time-out event te is represented 
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by the condition, that the time associated with te has reached the expiration 
time texp, this defines the reset condition for te' . These base cases are then 
canonically extended to define reset-conditions for all timeout events. 

We define 

reset-Cond{te) : T’time {true, false} 

inductively by 



reset-eond(e)(a) 
reset-eond(e)(a) 
reset-eond(tm(te, texp))(a) 
reset-eond(not te)(a) 
reset-eond{te\ and te 2 )(o') 
reset-eond{te\ or te 2 )((r) 



((r(e') = true) for all local events e 

(<T(e) = true) for all events e with dir(e) = in 

(a(expire(te)) = |tea;p](T) 

-<reset-eond(te)(a) 

(reset-eond(tei)(a) A reset-eond(te 2 )(o')) 
(reset-eond(tei)(a) V reset-eond(te 2 )(o')) 



We now integrate resetting of timers as induced by change of local variables 
and guessed input events as parts of the implicit effects of executing a step. Note 
that within steps no timers will be reset due to expired time-outs, since the clock 
is only advanced at super-step boundaries. We will reuse the function reset-eond 
in Chapter 5 to treat resets induced from expired timeouts. 

We extend the function updateJmplieits by 



update-impUeits{st, <7 step) {sv) = 

' all cases listed in section 4.2 (except the otherwise clause) 

0 if su = expire{te) for some time out event te and 

reset-eond(te)(astep) = true 

o'step(sv) otherwise . 



Initial Valuation. Initially, we want to assure, that all time-outs occurring 
in guards evaluate to false. Moreover, since initially no event is present, just 
letting time pass should not induce a time-out to expire (unless, of course, the 
monitored event has been generated). We thus extend our semantic domain for 
timers with a non-standard integer tmax satisfying n < tmax, and initialize all 
counters expire{te) with tmax- 

Initially, no action is scheduled, hence we set sehedule{a) = 0 for all scheduled 
actions a. 



4.4 Adding History 

Introduction. History connectors allow to reenter an OR-state in the child 
last visited. To this end, the target of a transition would point to the history 
connector associated with an OR-state, rather than to the OR-state itself. By 
definition, if the OR-state has not yet been visited, the default-state associated 
with the OR-state is entered. The history of a state can be cleared by emitting 
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the dear-history event. Following standard practice, the effect of clearing the 
history will first become visible in the subsequent step. 

If not only the child, but the complete configuration below the considered 
OR-state is to be retrieved, so-called deep history connectors may be used as 
targets of transitions, which conceptually store not only the last visited child, 
but as well all its last visited descendants. Again, a dedicated event allows to 
clear such a deep history. 

In this paper, we will assume, that events dedicated to clear history can only 
be emitted and never tested, allowing us to maintain only the primed version 
of these events. The role of the unprimed version is taken over by local fast 
variables hg introduced for each OR-state; (the actual implementation will carry 
out a dependency analysis to reduce the number of such variables). For these, 
no primed version is needed, since they are only manipulated through the dear- 
history events. 

We construct the CSTS #hist = (bhist,0hist,Phist,-£'hist) associated with SC 
by 

CSTSlSCUgt 



by defining the changes to the time model in the subsequent sections. 



The System Variables. We add to the set of system variables primed versions 
of clear history and deep-clear history events and local fast variables of type 
states(SC) remembering the last visited child for all OR-states of SC. More 
formally, we define 

bhist = btime U {hcl{sy , dcl{sy , hg I s e states(SC) A models) = Or} . 

The set of external variables is not extended w.r.t. the time-model. 



Semantics of Expressions, Gnards, and Actions. Clear history events 
occurring in actions are handled as all local fast events, inducing only an update 
of the primed version of the event. Since none of the introduced objects is allowed 
in guards or expressions, no change is required in the definition of their semantics. 



The Effect of Executing a Step. To determine the effect of firing a set 
of transitions on the state configuration, we have to take into account history 
connectors occurring in targets of transitions. To this end, we define the concept 
of a history eompletion of a connector h w.r.t. a current valuation <j, in particular 
determining the state-configuration before firing the step as well as the current 
history of all OR-states. 
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The history completion hcompl(h,a) of a connector h w.r.t. to a given valu- 
ation (T is given by 

h e Hconn(SC) then hcompl(h,a) = {state(h),a(hstate(h))} 
h e Dhconn(SC) then hcompl{h, a) = S where S is the smallest set satisfying 

• state(h) < S 

• state(h) e S 

• s G S and mode(s) = And then child(s) C S 

• s G S and mode(s) = Or then a(hs) G S . 

For a set H of history connectors the history completion is given by the union 
of the individual history completions: 

hcompl(H,a) := hcompl(h,a) 

heH 

The modification of the set entered{st) of a step st taking history connectors 
into account is given by 

entered(st) := 




where conn{target{t)) denotes the set of history connectors in the target set of 
t, i.e. 

conn(target(t)) = target(t) fl (Hconn(SC) U Dhconn(SC)) . 

The definitions of exited{st) and active(st) are not affected by history connectors 
and are given as in section 4.2. 

We update the history variables for all OR-states exited when firing the step 
by extending the function updateJmplicits with the following cases: 



updateJmpKcits(st,astep)(sv) = 

' all cases listed in section 4.3 (except the otherwise clause) 

s' if 3s G (Tstep(c) sv = hg A s G exited(st) A mode(s) = Or 

A child(s) n (Tstep(c) = {s'} 

, o'step(s^') otherwise . 

The last required modification relates to the fast-Copy function, which has to 
reset history variables if a clear history event has been emitted. We extend the 
definition of this function to history variables by defining 
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fast-Copy(a)(sv) = 

' all cases listed in section 4.2 (except the otherwise clause) 
default(s) if sv = hg and 

a{hc\{sy) = true V 3 s' a{dc\{s'y) = true A s' < s 
_ (t{sv) otherwise . 

Initial Valuation. Initially, no dear-history event has been generated and all 
history variables carry the default entry point of the associated OR-state. 

4.5 Adding Scheduling Control 

Introduction. Until now we have considered the dynamic behaviour of state- 
charts at the step-level when activated. The StateMate system provides flexible 
mechanism for controlling activities: the controlling statechart can base deci- 
sions on activation or termination, suspension or resumption not only on the 
current activation status of an activity, but on in principle arbitrarily complex 
evaluations involving not only the current state-configuration but also valua- 
tion of events and variables, by allowing scheduling constructs to appear as first 
class citizens, wherever events are allowed to occur. This section addresses what 
little overhead is required in the formal model to cope with scheduling: infor- 
mally, we encapsulate the behaviour of statecharts depicted by the automaton 
of Fig. 1 in an OR-state notJianging which is itself contained in an OR-state ac- 
tive, and add two states inactive and hanging. The state notJianging is entered 
whenever st\{A) resp. rs\{A) have been emitted, and left whenever sp\{A) resp. 
sd\{A) has been emitted - see Fig. 2 below. Conditions hanging and active sim- 
ply correspond to the conditions monitoring whether the corresponding states 
are active. Stopping an activity means resetting the state-configuration to the 
default-completion of its root and clearing all events. The system variables are 
not reset to the initial valuation. Thus starting a stopped activity may lead to 
a different behaviour than the initial activation. In contrast, suspension of an 
activity freezes also the current state-configuration. 

A special treatment is required for synchronization events. Consider an ac- 
tivity chart with two components C\, C 2 , only one of which, say C\ is active. 
Clearly C 2 is part of the environment of C\ , hence C 2 has to give its permission 
to Cl to pass its step-synchronization barrier. Thus, even if C 2 is not active or if 
it is hanging, it should still participate in handshakes regarding synchronization. 
It does so on the basis of the current valuation of its synchronization flags: for 
stopped activities, this entails, that they only provide positive answers to syn- 
chronization effects; for suspended activities, this depends on the valuation of 
synchronization flags at suspension time. Note that by definition all scheduling 
actions only affect an activities behaviour at step-boundaries. 

A more subtle issue regarding suspended variables is a conflict of principles 
regarding treatment of fast events: 
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— suspension calls for freezing the current valuation 

— however, since even suspended activities participate in steps, the fragile na- 
ture of events calls for resetting these after the first step passed being sus- 
pended. 

The following formal definition follows the second variant. 



SCHEDULING_CONTROL(A) 



ACTIVE(A) 



step_synchronization/ 

step_selection 

action_evaluation 

copy_reset 

guess_fast_inputs 



NOT_HANGING(A) 



step_synchronization and not st!(A)/ 
guess_st!_step_div_env 



INACTIVE(A) 



/ started(A) 









1 


■ 


1 







sd!(A)/ 

fast_reset 



step_synchronization and not rs!(A)/ 
guess_rs !_step_div_env 



HANGING(A) 



/INIT 



step_div(A) 
or step_div_env(A) 



STUCK(A) 



Fig. 2. Scheduling Control 



We finally mention, that termination connectors can be equivalently ex- 
pressed by viewing it as a normal state and asking transitions entering this 
state to include a self-stopping event in their action part. 
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System Variables. The external system variables required have already been 
summarized in Section 3.2. We enrich i?hist by fast events {st!(A), sp\{A), sd\{A), 
rs!(A)}, fast out events {started{A)\ stopped{A)' } and boolean fast out variables 
{hanging(Ay , active(Ay } to obtain i?scheduie- The set Kcheduie of local system 
variables remains unchanged w.r.t. Vhist- 

The Effect of Executing a Step. We first define Pactive^synch, requiring addi- 
tionally to Psynch, that the activity is active. 

^ Pactive_synch ^ iff 

• a = a' 

• a(step-div(A)) = a(step-div-env(A)) = false 

• a(active(Ay) = true 

• <7 (hanging {Ay ) = false 

• a(spl(A)) = false 

• a(sd\(A)) = false 

We will redefine the step-transition relation using the additional activation 
check in synchronization, hence disabling all steps otherwise, and providing tran- 
sitions characterizing the alternative behaviours depicted in Fig. 2 when being 
inactive, hanging or not hanging. 

To pass from the inactive to the active state, we use Pstart^ 

Pstart iff 

• (j(st\(A)) = true 

• a(step-div(A)) = a(step-div-env(A)) = false 

• a(aetive(Ay) = false 

• a' = a[aetive(Ay/true][hanging(Ay/false][started(Ay/true] 

Whenever the stop event occurs, A becomes inactive, the stopped event is 
generated, and the invariant characterizing the initial valuation becomes true. 

Pstop iff 

• a(spl(A)) = true 

• a(step-div(A)) = a(step-div-env(A)) = false 

• a' (stopped(Ay) = true 

• a' (aetive(Ay) = false = a' (hanging(Ay) 

• (t'(c) = deompl(root(SC)) 

When inactive, the controller monitors at each step for start-requests, as 
captured in the transition relation pinactive defined by 
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^ ^inactive ^ iff 

• a(stl(A)) = false 

• a(step-div(A)) = a(step-div-env(A)) = false 

• a(aetive(Ay) = false 

• a' = a[stl(A) /bst][step-div-env(A) /bdiv] 

for some bst,b,iiv G {true, false} . 

When hanging, the controller monitors at each step for resume-requests, as 
captured in the transition relation Changing defined by 

^ Changing ^ Iff 

• a(rsl(A)) = false 

• a(step-div(A)) = a(step-div-env(A)) = false 

• a(aetive(Ay) = true 

• a(hanging(Ay) = true 

• a' = a[rsl(A) /brs][step-div-env(A) /bdiv] 

for some brs,bdiv G {true, false} . 

Once a resume request occurs, the status changes from hanging to notJianging. 

^ Presume ^ Iff 

• a(rsl(A)) = true 

• a(step-div(A)) = a(step-div-env(A)) = false 

• a(aetive(Ay) = true 

• a(hanging(Ay) = true 

• o' = o\hanging{Ay /fals^ . 

When active, the activity becomes suspended upon a suspend-request: 

Psuspend Iff 

• o{sd\{Ay) = true 

• o(step-div(A)) = o(step-div-env(A)) = false 

• o(aetive(Ay) = true 

• o(hanging(Ay) = false 

• o' = fast-reset(o)[aetive(Ay / true][hanging(Ay / true] . 

Reaching a terminating connector will emit a stopped event. Hence we modify 
the function updateJmplieits by 
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update-impUcits{st, <7 step) {sv) = 

' all cases listed in section 4.4 (except the otherwise clause) 

true if sv = stopped{A)' and € st with 
target{t) fl Tconn ^ 0 

^ o'step(s^') otherwise . 

We finally define the transition relation ^schedule as the union of the transition 
relations characterizing the possible behaviours in state inactive, not hanging, 
and hanging. Observe that an activity will immediately participate in the current 
step when it receives a start or resume event. 



/^schedule — ^inactive 

^ Pstart ® Paction.evaluation ® Pcopy .reset ® Pguess.fast Jnputs 
^ Pactive.synch ® Pactionjevaluation ® Pcopyj'eset ® Pguess J’ast Jnputs 
U Pstop 
^ Psuspend 
U Phanging 

^ Presume ® Pactioujevaluation ® Pcopyj'eset ® Pguess_fast Jnputs 

The Initial Evaluation. We extend 0time by requiring additionally active(Ay = 
false = hanging(Ay . As for all fast events, initially none of the scheduling events 
is present. 



5 The Dynamic Behaviour of Statecharts II: What 
happens in a super-step 

5.1 Introduction 

This chapter provides a compositional semantics for the asynchronous execution 
mode of the StateMate simulator. 

Recall from Chapter 1, that the asynchronous or super step mode rests on 
the distinction between events generated from the environment of the SUD and 
those which are local to the SUD. Intuitively, we can view a StateMate design 
as a dynamic system which can remain in stable local states unless irritated by 
external stimuli from the environment of an SUD. The impulse provided by an 
external stimuli will cause the SUD to loose its state of equilibrium and induce 
a chain of reactions to recover from this impulse, finding a - possibly different - 
stable state. Once such a stable state has been achieved, only another external 
impulse can cause the system to become out of balance. 
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In the context of embedded systems, this super-step concept provides a natu- 
ral means to group those sequences of steps necessary to compute new valuations 
for actuators based on sensor information provided as “external stimuli” . State- 
Mate as well as other synchronous languages try to reduce modelling effort by 
assuming the so-called synchrony hypothesis: reactions to externally impulses oc- 
cur in zero time. It is the task of lower design steps to ensure via RT-scheduling 
mechanisms, that timeliness requirements are met even when actual execution 
time of the generated code on the target is taken into account. For the purpose of 
this paper, we take the simple view, that time increases with one unit whenever 
a new super-step is initiated. 

This intuitive concept induces a non-trivial effort when striving for a com- 
positional semantics, since it subsumes the distributed termination problem[22]. 
In a compositional setting, each activity has only a local view on termination of 
a super-step: while the activity itself may not be able to perform further steps 
based on local and fast objects, other activities may still be busy computing 
their share of the current super-step. In particular, as long as one activity is 
still unstable, it may always decide to emit fast events or change valuations of 
fast variables, causing a locally stable activity to become instable. Our compo- 
sitional semantics incorporates protocols for detecting stability using the events 
stable and stable-env introduced in Chapter 3. We extend the simulation cycle 
from Fig. 1 by first explicitly handling the case, where step-selection induces 
an empty action set.^ The transition system defined in Chapter 4 does not in 
such a situation define any successor, hence inducing a terminating computation 
sequence. In this chapter, we take this condition as an indicator, that stability 
may have been reached. For the purpose of this introduction, let us first assume, 
that an empty action set implies, that from the perspective of this activity, the 
super-step cannot be prolonged by further steps. The activity would signal this 
by generating the event stable and then proceed to guess fast inputs, includ- 
ing the environment’s flag stable-env. As long as the environment is not stable, 
new fast inputs represent reactions of other activities, produced in their strive 
to reach stability, hence we enter the “ordinary” step-simulation cycle, typically 
producing further local steps based on new fast inputs. The copy-reset phase 
will automatically reset the stable flag if indeed a step is now possible, hence 
maintaining the invariant, that this flag is only set, if no local continuation of 
a super-step is possible. If, on the other hand, the environments stable-flag was 
set, we have reached global agreement on completion of the previous super-step. 
This entails, that at this stage locally computed slow events and updates to slow 
variables have to be made visible to the environment, and new values for slow in 
variables as well as slow in events have to be guessed. The technical machinery 
to achieve this is a straightforward adaption from the “fast” case and will thus 
only be addressed in the following technical subsections. Note that together with 



® Recall, that the action set comprises actions of transitions in the selected step as 
well as those of enabled static reactions. 

® Conceptually replacing “step execution” and “copy_reset” in Fig. 1. 
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the already performed communication on the fast level we have now provided 
room for a complete update of the full interface of an activity. 

Before we turn to the impact of super-steps on StateMate’s real-time fea- 
tures, we need to patch the above picture in order to model a peculiar behaviour 
regarding stability built into the simulator. 




Fig. 3. Superstep synchronization^ 



Suppose again, that the step-evaluation phase results in an empty action-set. 
Now recall, that guards allow to test for absence of events. StateMate adopts 

^ In contrast with the usual StateMate interpretation the second test in the prestable 
loop has to be evaluated with the new values. 




A Compositional Real-Time Semantics of STATEMATE Designs 223 
the view, that absence of events cannot only be caused by not having the event 
generated in the previous step, but also by the resetting mechanism (modelled 
by the reset-function). Hence, even if no transition is enabled after completion of 
a step, just resetting the events generated in the previous step may cause guards 
to become true, hence inducing successor steps. Since this paper strives for a 
semantics, which is congruent to the simulation semantics, our model reflects 
this additional cause of local instability, by introducing a prestable loop, where 
all events are reset. Only if the action-set remains empty the stable flag will be 
generated. Fig. 3 summarizes the result of this discussion. 

We now discuss informally aspects relating to real-time. In the context of 
StateMate designs, we will assume, that the virtual clock time ticks exactly at 
superstep-boundaries. This causes several side-effects related to StateMate’s 
real-time programming constructs: timers associated with time-outs and sched- 
uled actions have to be updated, reflecting the passage of one time unit. As a 
result, time-outs may expire, and - due to the potential nesting of timeouts - 
timers for timeouts need to be reset. Moreover, scheduled actions may now be- 
come due for execution, and hence need to be evaluated prior to the initiation 
of the first step of the new superstep. 

This chapter is organized as follows. We first introduce in Section 5.2 sys- 
tem variables required to detect stabilization of super-steps. Section 5.3 handles 
communication through slow interface objects. Three sections are devoted to 
time-dependent issues: the effect of incrementing the clock on timers, resetting 
timers of monitored and expired time-outs, and elaboration of due scheduled 
actions. Section 5.7 presents the formal definition of a compositional model sup- 
porting the asynchronous execution model, collecting the formal definition of the 
three types of transitions depicted in Fig. 3, taking into account the interaction 
between asynchronous execution of activities and scheduling, and leading to a 
formal definition of the compositional synchronous transition system 

C*ST5^|S^f7Jgupei. — ^super — (Fguperi ^Iguperi Psuperi T/gupgr) 

associated with SC. 

5.2 The System Variables 

The set of external variables now subsumes unprimed versions of the stable flag 
of the activity A under consideration as well as for its environment, as fast out 
resp. in events. 



^super — T/gghggiuig U , stohle-CTivi^A^^ . 

The local variables are those of Kcheduie- 



5.3 Communication through Slow Interface Objects 

Whenever a super-step synchronization succeeds, locally computed values of slow 
out interface objects become visible by copying primed into unprimed versions of 
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the corresponding external variables, and new values of slow in interface objects 
are guessed. The adaption of these transitions from the fast case is immediate. 

Copy. If the environment’s super-flag is set, the initiation of a new super-step is 
prepared by copying values of primed system variables, which served to collect 
the effect of executing the previous super-step, into their unprimed version using 
the valuation transformation 



sloW-COpy Tiguper 4=^ Tiguper 

{ (t(su') if ,sv e events{SC , A) U var{SC, A) 

and speed{sv) = slow and dir{sv) = out 

a{sv) otherwise. 

Note, that this does not affect the valuation of slow external inputs. While 
in model generation we will only allocate unprimed copies of out variables for 
those, which occur within a changed test, in our semantics we simply copy the 
primed versions into unprimed versions for all out variables. 

Reset. We will reset all slow out events to false at the beginning of a super-step, 
using the valuation transformation 



defined by 



slow-Teset . T/g^p 0 j. -4:^-4 T/g^p 0 j. 



( false 



slow-reset{a){sv) = < 



if sv = e' for e € events(SC, A) 
and speed(e) = slow and dir(e) = out 



[ (t{sv) otherwise. 



We define the relation Psiow_copy_reset by 



O' Psiow-copyj-eset O'' iff cr' = slow.reset{slow.eopy{a)) . 



Guessing Slow Inputs. PguessjsiowJnputs guesses new values for slow inputs, and 
keeps all other interface objects stable. Again, invariants regarding bidirectional 
slow interface objects have to be respected. Formally, 



^ Pguess_slow -inputs ^ In 

• Vsu e var{SC) U events(SC) U var{SC)' U events{SC)' 

U {c, c'} U {e e events{A) \ speed(e) = fastV dir(e) = out} 

U {u e var(A) \ speed(v) = fast V dir(v) = out} 
a(sv) = a'(sv) 

• Ve e events{A) speed(e) = slow A dir(e) = inout A (r{eout) = true 

=> cr'(ein) = true 

• Vu e var(A) dir(v) = inout A speed(v) = slow A a(writtenJn(v)) 

= false cr'(uj„) = . 
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5.4 What Happens on a Clock-tick I: Updating Timers 

Whenever a super-step synchronization has been successfully performed, the vir- 
tual clock time is advanced. StateMate allows the user to instrument the simu- 
lator as to the next point in time to which the virtual clock is to be advanced. In 
our formal semantics, we simply step through the time-axis of the virtual clock, 
adjusting the timers kept for time-outs and scheduled actions accordingly. The 
actual model constructed for model-checking takes a more elaborate approach 
to eliminate trivial steps, in which neither slow-inputs change, nor timeouts or 
scheduled actions expire. 

We have introduced an explicit in event time representing clock ticks in order 
to provide a uniform reference clock in environments, where StateMate models 
are analyzed together with languages such as Signal, in which no single clock is 
identified as reference clock. From StateMate’s point of view, we assume that 
the time event is present whenever a super-step synchronization occurs. This 
reflects the synchrony hypothesis, guaranteeing that all responses to external 
stimuli are computed infinitely fast, prior to new arriving external stimuli. This 
assumption is “built into” the formal semantics and has to be checked when 
mapping the generated model on a target architecture. 

Recall from Section 4.3, that each timeout-event te is supported by a system 
variable expire(te), maintaining the number of clock ticks which occurred since 
the timer was set. While such timers thus are incremented upon each clock tick, 
timers associated with scheduled actions maintain the number of clock ticks 
still required until the action is to be evaluated, hence requiring these to be 
decremented at each clock tick. 

Formally, we define the transition relation ptimeinc on T’gupgr by 



^ PtimeJnc ^ Iff 

• a (time) = true A 

• a' = a[expire(te) / a{expire(te)) -I- 1 | te € Tevents(SC, A)]^ 

[sehedule(a) / {d -^1 \ d € a(sehedule(a))} \ a € Saetions(SC)] . 



5.5 What Happens on a Clock-tick II: Time-ont Events 

By incrementing timers for time-out, we have guaranteed that time-outs oc- 
curring as guards evaluate to true, if their time expression evaluates to the now 
updated value of the associated timer (c.f. the definition of the semantics of time- 
outs in Section 4.3). In addition we now have to resolve complexities induced 
from nested timeouts. 

Timers associated with time-outs have to be reset, whenever the monitored 
time-out event occurs. Since the monitored event can itself be a time-out event, 

® The operation -|-1 is extended to the non-standard integer tmax by defining tmax + ^ = 

tmax . 
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incrementing the clock can cause these to expire. In defining the function re- 
set-cond(te), we have already catered for resetting of timers due to expired time- 
outs. Recall from Section 4.3, that the reset condition for a nested timeout event 
of the form te' = tm{te,texp'), where te = tm(e,texp), occurs, whenever the 
time associated with te matches its delay expression: 

reset-Cond{tm{te,texp)){a) = (a(expire(te)) = Itexpja) . 

By incrementing the clock (and hence incrementing this timer), this condition 
may have become true and the counter associated to te has be be reset: 

^ Ptimeouts ^ Iff 

a' = (j[expire{te) /ii reset-Cond(te)(a) then 0 else a{expire{te)) \ 
te e Tevents{SC , A)] . 



5.6 What Happens on a Clock-tick III: Schednled Actions 

As a second side-effect of incrementing time, a scheduled action a may be due, 
in our model represented by having a zero waiting time in the set schedule(a) of 
delays until a is due to be evaluated. The StateMate simulator evaluates all 
such actions prior to initiating the first step of a new super-step. The transition 
relation Psc^ctions executes any due scheduled actions in a random order. Within 
the model generated for model-checking, we will instead check for race-conditions 
and evaluate due scheduled actions in some fixed order. Additionally, we have 
to eliminate zero-delay entries from all schedules. 



^ Psc_actions ^ In 

a = a' A Va e Sactions(SC) : 0 ^ a(schedule(a)) 
or 

3neN3a = ai;... Actions(SC) 

a' = la]a[schedule(ai) / a(schedule(ai)) \ {0} | 1 < * < n] 
A{ai, . . . , On} = {a' e Actions(SC) \ 

3 scl(a' ,texp) € Sactions(SC) 0 € a(schedule(a'))} 



5.7 Putting Everything Together: A Compositional Model for the 
Asynchronous Simulation Mode 

We now collect together the different pieces to form the control-automaton of 
Fig. 3. The individual transition relations will be collapsed into the three types of 
transitions depicted, each guarded by a partial identity modelling the “guard” of 
the transition in Fig. 3. Note that no transition can be taken, if step-divergence 



occurs. 
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The Step Transition. The step transition collects all test and valuation 
changes when executing a step, taking into account all features presented in 
Chapter 4, as included in the most elaborate model supporting scheduling pre- 
sented in Section 4.5. 

Define Pinstabie as the partial identity on T’gupgr induced by the emptiness 
test on the step set: 



O' Unstable O'' iff a = a' A Steps(a) 0 

Note that static reactions are only executed, if a step was taken, hence it suffices 
to test for emptiness of the step-set to deduce, that no action will be executed. 

We define the step-transition relation on T’gupgr as the product of this test 
and the transition relation ^schedule defined in Section 4.5, handling ah features 
of StateMate on the step-level: 



Pstep — Pinstable ® Pschedule 



The Prestable Transition. This transition accounts for steps possibly result- 
ing from resetting fast or local events, though no steps are possible based on 
the valuation of variables and events resulting from the previous step. In the 
second phase of this step we test whether the reset operation enables new tran- 
sitions. If this is not the case, local stability is reached and hence the stable flag 
is generated. 

Define Pprestabiej-eset as the relation on T’gupgr which tests for stability and 
performs a fast reset. 



^ Pprestable_reset ^ In 

Steps(a) = 0 A (t' = fast-res et{<j) . 

We extend this by a test on step-synchronization and append a guess for 
new input values to define the transition relation Pprestabieinit associated with 
the first phase of the prestable transition. 



PprestableJnit — Psynch ® Pprestable_reset ® Pguess_fast_inputs 

For the second phase the relation Pinitjsuperjiynch sets the stable flag if the 
action set is still empty and Pnotjstabie denotes the partial identity in the case 
stability is not reached. 



O' Pinit^uper^ynch O'' iff Steps(a) = 0 A cr' = a[stable{A) / truc] 
O' Pnot.stable O'' iff Steps(a) 0 A Cr' = (T 

Combining both phases the prestable step is given by 



Pprestable — Pprestable Jnit ® (Pinit_super_synch bJ Pnot_stable) • 
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The Locally-stable Transition. The relation Pstabie^synch is only taken, if 
locally stability has been achieved, as indicated by a set stable flag and an 
empty step-set, then setting the stable-flag. 

O' Pstabie-synch O'' iff Steps(a) = 0 A a(stable(A)) = true A a' = a 
The relation Psuper^synch tests for super-step synchronization: 

O' Psuperjiynch O'' iff <j' = <7 A a(stable(A)) = true = a(stable-env(A)) 

We denote the partial identity guaranteeing an unsuccessful super-step syn- 
chronization by Pno_super_synch • 

Collecting together the relations handling communication through slo'w in- 
terface objects, guessing slo'w interface objects, update of time, handling expired 
time-outs, and scheduling due actions, 'we define the transition piocaiiy^stabie by 



Plocally .stable — 



Pstable.synch ® 

(Psuper.synch ® Pslow.copy j’eset ® Pguess.slow_inputs 
uptime jnc ® Ptimeouts ® Psc.actions 
C Pno.super.synch) 

®Pguess_fast Jnputs • 



The order of evaluation 'when initiating a new super-step is again defined in 
a way compliant to the StateMate simulator. If no super-step synchronization 
occurs, a step transition will be taken subsequently with the fast inputs guessed 
in this transition, since the synchronization test will remain positive. 

We summarize the transition possible under the super-step semantics when 
active in the transition relation 



Pactive — Plocally .stable C Pstep C Pprestable • 



The Impact of Scheduling. Since all scheduling control is realized using 
fast interface objects, the formal model defined in Section 4.5 already provides a 
natural basis for an integration of scheduling and super-step execution: we simply 
replace the step-relation by the transition relation characterizing the active state, 
as done in the formal definition of the superstep-relation of the CSTS associated 
with SC. It is, however, worth while to consider the impact this definition has 
on the interaction of scheduling control and super-steps. 



Psuper — /^inactive 

Upstart ° Pstep 

^Pactive 

Upstop 

^Psuspend 

Uphanging 

Up 

resume ® Pstep • 
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By definition of the initial valuation given below, we are assured that in inac- 
tive states both step and super-step synchronization are possible, hence inactive 
activities will not block sibling activities to proceed in steps nor super-steps. 
For suspended activities, as soon as step divergence occurs, the activity will be- 
come stuck, while itself not producing step divergence when suspended. Since 
the status of the stable{A) flag is frozen when suspended, activities suspended 
in the middle of a super-step will inhibit other activities from completing their 
super-step. This requires either care when suspending activities, or a revision of 
the semantics. 



The Initial Valuation. We extend the initial valuation by requiring stable{A) 
as well as stable-env(A) to be initially true. 



6 Semantics of Activity Charts 

An activity chart describes the activities of a system as well as the flow of data el- 
ements and events between these activities. As a statechart an activity chart can 
also be defined in a hierarchical way. In contrast to a statechart an activity chart 
does not describe the behaviour of a system, but gives only the static aspects 
of a considered system. It defines a systems in terms of activities and shows the 
information flow between these activities. The dynamic is described inside one 
activity by a statechart. An activity can also be some other externally defined 
component not modelled by a statechart ® . Every structured activity contains at 
most one controlling activity which has to be given by a statechart, which will 
be denoted as the controlling statechart. In the context of our compositional se- 
mantics we assume that this controlling statechart is always given. This control 
activity determines the dynamics of all other subactivities. It has the control to 
activate or deactivate its sibling activities. If an activity is further structured by 
subactivities, one of the subactivities will again act as the controlling part. 

This chapter will define the composition of activities in terms of the compo- 
sition of its control activities. Assume that an activity A is given by a controlling 
statechart SC together with subactivities Ai, . . . , A„ (cf. Fig. 4). A subactivity 
Ai may again be defined by a statechart or by a composition of subactivities as 
illustrated in Fig. 5. In the previous sections we have developped a semantics of 
an activity chart given by one statechart, i.e. we have only described the seman- 
tics of a leaf in this hierarchical structure (e.g. Aq or SCu of Fig. 5). In this 
section we will discuss the composition of activities to derive a semantics of a 
hierarchically given activity chart. 

The semantics of a composite system can be defined by a parallel composition 
of its subcomponents. In a first approach the parallel composition can be given 
by a parallel composition of statecharts as given in Fig. 6, i.e. the controlling 

® The StateMate system offers also the description of an activity by so called mini- 
specs. 
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Fig. 4. Activity chart with subactivities 



statechart SC operates in parallel with statecharts SC{Ai) derived from the sub- 
activities Ai . In addition to this we have to distribute scheduling information and 
manage the resolution of shared variables and events by the mentioned monitor 
concept. If the activity A is started this event has to be transferred to the con- 
trolling activity Aq as st!{Ao). All other scheduling events {sp!{A), sd!{A), rs!{A)) 
should also be distributed to the other subactivities (see Figure 7). This rela- 
tionship between the scheduling events can easily be described by an invariant 
on the allowed valuations. 

started(A) -H- started(Ao) A stopped(A) -H- stopped(Ao) A 
active(A) -H- active(Ao) A hanging(A) -H- hanging(Ao) A 
st!{A) st!{Ao) A 

sp!{A) ALo sp!{Ai) A sd!{A) ALo sd!{Ai) A rs!{A) Ar=o rs!{Ai) 

To handle inout events and shared variables we have to consider the interfaces 
of the activities. Each activity A resp. A, is associated with an interface which 
defines the flow of data and events between these components. The semantics 
of A is given by combining the transition systems of the components A, and 
hiding the internal objects. But we have not only to take the parallel composition 
of the transition systems as defined in section 2.1, but we have to deal with 
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Fig. 5. Hierarchy of activities 



the resolution of multi-written variables and multi-generated events. As already 
indicated this will be done by adding monitors for each shared variable and 
event of mode inout. A monitor of a shared variable v will resolve a common out 
value Vout of the activity A out of the out values of the individual components 
Ai. which have v in their interface. Additionally the associated read, written, 
and changed events are handled by the monitor. To combine the individual out 
values we have to give them individual names in the combined valuation. Hence 
we will use a prefix operation which will rename the now local out values Vgut 
of a component A, to Ai.Vgut- 

The composite system A is also written as Ao|| . . . ||A„ and the A, are called 
the components of A. We use Comp{A) to refer to these components. Concerning 
with the interface of the components we may be interested in those components 
which refer to a common object, variable v or event e. Hence, we use the notation 
Comp(A,v) to denote those components C of Comp{A) which have v in its 
interface, i.e. Comp(A,v) = {C € Comp{A) \ v € eJnt{C)]. 

6.1 Component Renaming 

For composing system we require that local variables and events are disjunct. 
For common variables v and bidirectional events e we first rename the directed 
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SC 



SC(Al) 



SC(An) 



Fig. 6. Basic concept for composing subsystems 



copies Vin and Vout, resp. e,„ and Couti to make them unique to a component. 
This is done by prefixing these variables and events by the component name. 

Hence, given a transition system # = (V, 0, p, E) for an activity C as defined 
in the previous sections, we denote by rename{$, C) the transition system # = 
{V ,0' , p' ,E') defined by 



V := V 

E' := {C. stable, C.stable-env,C.step-div,C.step-div-env}U 

{C •^iniC.Cout I Bout G i?}U 

C.Vout I 1 Vout G E}U 

{e \ e G E and dir(e) ^ inout }U 
{v \ v ^ E and dir{y) ^ inout} 

^ I ^rename(E\E) G 0} 

P' ■= {(o'jO'O I ((^rename(E',E),(^'rename{E',E)) ^ f*)} ' 

where (Trename(E' ,e) is a valuation oiVU E where an element of E has the value 
of the corresponding element of E' given by a, i.e. assume that a -.VUE' T>, 
then CFrename{E' ,E) • U T/ Et and 



’^rename{E' ,E) 



(w) 



a(w) if w e y 

a(C.w) if w G {stable, stable^env, step-div, step-div-env} 
< or w = 6in or w = Cout for some event e 

or w = Vin or w = Vgut for some variable v 
^ a{w) otherwise . 



6.2 Monitor for Variables 

To distribute a value of a shared variable u in a composite system A = A\\\ .. ,\\An 
we introduce a monitor Monitor(v) as shown in Figure 8 for two components. It 
observes all actions of the components which write on v, collects the values and 
broadcasts a (nondeterministically) selected value to the environment. Further- 
more it reads the given values from the environment and transports appropriate 
values to the components. It does not only manage the value of v but also the 
related read, written, and changed events. The behaviour is captured by the 
transition system 
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Fig. 7. Distribution of scheduling information 



^Mon(r) (^'^on(r) 7 ^Mon(r) 7 PMon(r) 7 ^Mon(r) ) 

with 

— local variables VMon(r) = 07 

— environment variables 

-E’Mon(r) = {vout,Vin,written(v)out,written(v)in,changed(v)out, 
changed(v)in, read(v)out, read(v)in} 

U , C. ^ ‘ WTittCTliv^ , C .Writt67l{v^ , 

C. changed{v)out,C. changed(v)in, C.read(v)out, 

C .read(v)in \ C € Comp{A,v)^, 

— the set of initial valuations 

0Mon(r) = {ff I (^(Vout) = Cr(C'.Ui„) = 

a(written(v)out) = a(changed(v)out) = a(read(v)out) = false, 
a(C.written(v)in) = a(C.changed(v)in) = a(C.read(v)in) 

= false}, 



and 
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read(v)_in written(v)_in written(v)_out read(v)_out 

changed(v)_in v_in v_out changed(v)_out 




Fig. 8. Monitor concept 
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— transition relation 



PMon(v) = {(<7,cr') I cr' |= consistent{v)} , 

where the predicate consistent{v) describes that the distributed values of v 
and the changed and written events are consistent with the observed values 
distributed by the components. 

The predicate consistent(v) is defined by 

consistent(v) := 

{yceComv(A,v) = C.Vout A C .written{v) out) 

(y ceGomp(A,v) '^out = C-Vgut A /\ceGomp(A,v) .written{v)out)^ 

^ t\GeGomp(A,v) = Vin 

A {written{v)out ^ M GeGomp(A,v) C.written{v)out^ 

^ AcGComp(T.jj) = written{v)in 
A (^changed{v)out M GeGomp(A,v) {C.changed{v)out Vout = C.Vgut)'^ 

^ t\GeGomp(A,v)^-^^°''^9ed{v)in = changed{v)in 
A (^read{v)out M GeGomp(A,v) C.read{v)out) 

^ AGeGomp(A,v)<^-read{v)i„ = read{v)i„ . 

If V is not in the interface of A, i.e. if v is local to A we have to modify 
the monitor described above by removing the variables Vin, Vgut, written(v)in, 
written(v) out 1 changed(v)in, changed{v)out, read(v)in, read(v)out- The computed 
value for Vgut is directly copied to the individual inputs C.Vi„. The same is done 
for the written, changed, and read events. I.e. the predicate has the following 
form: 

consistent(v) : = 

^ V CG Comp(A,v) ( f\G'eGomp(A,v) ^ “ C.Vout A C . written{v) out) 

^{l\GeGomp(A,v) = C.Vgut A /\ceGomp(A,v) .written{v) out)^ 

^ [hG'eGomp(A,v) {C ■written{v)in ^\J ceGomp(A,v)^-^ritten{v)out)) 

^ {hG'€Gomp(A,v) {C .changed{v)i„ 

yGeGomp(A,v) [C.changed{v)out A C.Vin = C.Vout) )) 

^ (^/\G'eGomp(A,v) {C -read{v)in ^ \/ GeGomp(A,v) C.read{v)out)^ ■ 



Global Assumptions. As the environment is responsible for the resolution of 
the values of shared variables, the environment should also set the written and 
changed events in accordance with the given input value. 
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written(v)in = false => changed(v)in = false 
written(v)in = false => written(v)out = false A Vm = Vgut 
read(v)out = true => read(v)in = true . 

6.3 Monitor for Events 

The difference for the handling of events is that the resulting value is given by a 
disjunction of all values of the relevant components. I.e. we do not deterministi- 
cally select a value - true or false - but instead raise an event if some component 
raise that event. There is only one exception given by the event stable as a system 
is stable iff all its subsystems are stable. Hence, in that case we have to perform 
a conjunction. 

The monitor <pMon{stabie) is given by 

E := {stable, stable-env} U {C. stable, C.stable-env \ C € Comp{A){ 

V :=% 

0 := {a \ a(stable) = true,<j(C .stable-env) = true for all C} 
p := {{(7, a') I a' (stable) = false iff 3C with a' (C. stable) = false, 
a' (C.stable-env) = false iff 

a' (stable-env) = false or 3C" Cwith a' (C .stable) = false} . 

The monitor <pMon{step.div) is given by 

E := {step-div, step-div-env} U {C .step -div,C .step -div-env \ C € Comp(A)} 

V := 0 

0 := {a \ a(step-div) = false, a (C .step -div-env) = false for all C} 
p := {(a, a') \ a'(step-div) = true iff 3C with a' (C.step-div) = true, 
a' (C .step-div-env) = true iff 

a' (step-div-env) = true or 3C" ^ Cwith a' (C .step-div) = true} . 
The monitor ^Mon(e) for a bidirectional event e is given by 
E . — {eoutj ^in} hi {C.eoutj 0‘b^in \ 0 ^ Comp(A, e)} 

y := 0 

0 := {a \ cr(eout) = false, a(C.ein) = false for all C € Comp(A,e)} 
p := {(a, a') \ (r'{eout) = true iff 3C € Comp(A,e) with a'(C.eout) = true 
and a'{C.ein) = o'(ein) for all C € Comp(A,e)} . 

If e is not in the interface of A the variables e,„ and Cout are removed from 
the set E and p is modified in the following way: 

p := {{(7, a') I a' (C' .Cin) = true iff 3C € Comp(A,e) with a'(C.eout) = true} 

6.4 Composition of Systems 

After defining the various monitors we can give a semantics to the composite 
system A = Ao|| . . . ||A„ by building the parallel composition of the individual 
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transition systems rename{^i,Ai) together with the transition systems of the 
relevant monitors. Then all objects not visible outside of A are hidden by the 
hide operator. Let var = ^ eJnt(Ai) \ dir(v) = inout} and bevents = 

UiLoi® ^ eJnt(Ai) I dir(e) = inout}. 

(TSTSfA] = hide{rename{^{A(i), Aq) || ... || rename{^{An) , An) 

II llrGrar ^Mon(^j) || WeSbevents^Mon(e) II ^Mon(stable) II ^Mon(step-div) : 

fulLint{Ai) \ fulLint{A)) 

The hiding operator hide removes some of the visible objects from the inter- 
face. This is simply defined by moving the variables from E to V, i.e. 

hideiiv, e, p, E),W) = (y, e,p,E\w) . 

7 Conclusion 

In this paper we have defined a real-time semantics for statecharts based on the 
StateMate system. We have introduced a step semantics as well as a super-step 
semantics. These formal semantics allow the integration of the StateMate sys- 
tem within an environment for formal verification techniques. In current projects 
this has been achieved by providing a translation from StateMate into a finite 
state machine (FSM) description used as an interface to a model checker [3]. 
The compositional approach used in this paper does not only allow to check 
properties of statecharts by model checking, but also the use of compositional 
verification methods which is required for large designs due to the state explosion 
problem. 
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Abstract. Effective verification methods, both deductive and algorith- 
mic, exist for the verification of global system properties. In this paper, 
we introduce a formal framework for the modular description and verifi- 
cation of parameterized fair transition systems. The framework allows us 
to apply existing global verification methods, such as verification rules 
and diagrams, in a modular setting. Transition systems and transition 
modules can be described by recursive module expressions, allowing the 
description of hierarchical systems of unbounded depth. Apart from the 
usual parallel composition, hiding and renaming operations, our mod- 
ule description language provides constructs to augment and restrict the 
module interface, capablilities that are essential for recursive descrip- 
tions. We present proof rules for property inheritance between modules. 
Finally, module abstraction and induction allow the verification of re- 
cursively defined systems. Our approach is illustrated with a recursively 
defined arbiter for which we verify mutual exclusion and eventual access. 



1 Introduction 

In this paper we introduce a formal framework for the modular description and 
mechanical, modular verification of parameterized fair transition systems. The 
framework provides a system description language that allows concise, modu- 
lar, possibly recursive and parameterized system descriptions. It is sufficiently 
expressive to represent various modes of communication between modules, and 
enables the reuse of code, that is, transition modules can be described once and 
referred to multiple times in a system description. The framework supports a 
variety of analysis techniques, such as verification rules, verification diagrams, 
model checking, abstraction and refinement, the results of which can be seam- 
lessly combined in the course of a single proof. 

Our framework extends the principles for modular verification presented in 
[MP95b] and those formulated for I/O automata [LT89, LT87]. The basic build- 
ing block of our system description language is a transition module, consisting 
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of an interface that describes the interaction with the environment, and a body 
that describes its actions. Communication between a module and its environ- 
ment can be asynchronous, through shared variables, and synchronous, through 
synchronization of transitions. More complex modules can be constructed from 
simpler ones by (recursive) module expressions, allowing the description of hier- 
archical systems of unbounded depth. Module expressions can refer to (instances 
of parameterized) modules defined earlier by name, thus enabling the reuse of 
code and the reuse of properties proven about these modules. Apart from the 
usual hiding and renaming operations, our module description language provides 
a construct to augment the interface with new variables that provide a summary 
value of multiple variables within the module. Symmetrically, the restriet oper- 
ation allows the module environment to combine or rearrange the variables it 
presents to the module. As we will see later, these operations are essential for 
the reeursive description of modules, to avoid an unbounded number of variables 
in the interface. 

The basis of our proposed verification methodology is the notion of modular 
validity, as proposed in [Pnu85, Cha93, MP95b]. An ltl property holds over 
a module if it holds over any system that includes that module (taking into 
account variable renamings). That is, no assumptions are made about the mod- 
ule’s environment. Therefore, modular properties are inherited by any system 
that includes the module. Many useful, albeit simple properties can be proven 
modularly valid. However, as often observed, not many interesting properties 
are modularly valid, because most properties rely on some cooperation by the 
environment. 

The common solution to this problem is to use some form of assumption- 
guarantee reasoning, originally proposed by Misra and Chandy [MC81] and 
Jones [Jon83]. Here, a modular property is an assertion that a module satis- 
fies a guarantee G, provided that the environment satisfies the assumption A. 
An assumption-guarantee property can be formulated as an implication of ltl 
formulas with past operators [BK84, GL94, JT95]. Thus in ltl there is no need 
for compositional proof rules dealing with the discharge of assumptions as for 
example in [AL93]. In our framework these rules are subsumed by property in- 
heritanee rules: systems that are composed of modules by parallel composition 
directly inherit properties of their components. In this way assumptions can be 
discharged either by properties of other components, or by the actual implemen- 
tation of the composite module. If the assumption cannot be discharged, it is 
simply carried over to the composite module. This flexibility in our approach 
as to when and how assumptions are discharged is similar to the one described 
by Shankar [Sha93]. In particular it does not require the verifier to anticipate 
assumptions that could be made on a module by other modules [Sha98]. 

Our verification methodology supports both composition and decomposition, 
as defined by Abadi and Lamport [AL93]. In eompositional reasoning, we ana- 
lyze a component without knowing the context it may be used in. We therefore 
state and prove properties that express explicitly under what assumptions on the 
environment a certain guarantee is given. This approach is taken by our mod- 
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ular proof rule and the property inheritance rules. In decompositional reasoning 
the composite system is analyzed by looking at one module at a time. In our 
experience both methods can be used during a system verification effort. Com- 
positional reasoning is used to establish invariants and simple liveness properties 
about components. Then the system is analyzed from the top down, using the 
previously proven modular properties, and using abstraction to hide details that 
are irrelevant to the property at hand. We provide a modular inheritance rule 
that allows modules in expressions to be replaced with simpler modules, such 
that properties proven over the system containing the simpler module are also 
valid over the system containing the actual module. Alternatively this can also 
be used in the other direction, in design. Any (underspecified) module may be 
refined into a more detailed one, while preserving the properties proven so far. 

A convenient abstraction, which can be constructed automatically, is the 
interface abstraction, which represents only the information in the interface and 
ignores all implementation details. Using the interface abstraction in place of a 
module is especially useful when we consider recursively described systems of 
unbounded depth: in this case the implementation details are in fact unknown. 
Such systems fit in naturally in our framework: we combine the decompositional 
interface abstraction with a compositional induction rule. 



1.1 Example 

We illustrate our description language and verification methodology with the 
verification of a recursively defined binary arbiter that guarantees mutual exclu- 
sion to a critical resource. A number of clients can each request access, and the 
arbiter gives a grant to one client at a time. Our design, shown in Figure 1, is 
based on a similar example in [Sta94]. The arbiter is described as a tree of nodes. 




Fig. 1. A Hierarchical Arbiter. 
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where a tree consists of two subtrees and a node that guarantees mutual exclu- 
sion between the two subtrees. Thus while the simple algorithm represented in 
the nodes deals with two clients at a time, a tree of height h ensures mutual ex- 
clusion for 2^ clients. Local correctness proofs for implementations of the nodes 
are discussed in [Dil88], and safety properties of arbiter trees are verified in 
[GGS88]. 

1.2 STeP 

Part of the framework presented here has been implemented in STeP (Stan- 
ford Temporal Prover), a tool for the deductive and algorithmic verification of 
reactive, real-time and hybrid systems [BBC+96, BBC+95, BMSU97]. STeP im- 
plements verification rules and verification diagrams for deductive verification. 
A collection of decision procedures for built-in theories, including integers, reals, 
datatypes and equality is combined with propositional and first-order reason- 
ing to simplify verification conditions, proving many of them automatically. The 
proofs in the arbiter example, presented in Section 5, have been performed with 
STeP. 

1.3 Outline 

The rest of the paper is organized as follows. In Section 2 we introduce our 
computational model, fair transition systems, and specification language, ltl. 
In Section 3 we define transition modules and parameterized transition modules, 
and present the syntax and semantics of our module description language. Here 
we give a full description of the arbiter example. In Section 4 we propose a 
modular verification rule and devise verification rules for property inheritance 
across the operations of our module description language. We discuss modular 
abstraction and induction as techniques that can be used to prove properties 
over recursively defined modules. In Section 5 we verify mutual exclusion and 
eventual access for the arbiter using the rules presented in Section 4. 

2 Preliminaries 

2.1 Computational Model: Transition Systems 

As the underlying computational model for verification we use fair transition 
systems (fts) [MP95b]. 

Definition 1 Fair transition System. A fair transition system $ = 

{V, 0, T, J, C) consists of 

— V'. K finite set of typed system variables. A state is a type-consistent in- 
terpretation of the system variables. The set of all states is called the state 
space, and is designated by S. We say that a state s is a p-state if s satisfies 
p, written s N p. 
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— 0: The initial condition, a satisfiable assertion characterizing the initial 
states. 

— T: A finite set of transitions. Each transition r € T is a function 

T : 2^ 

mapping each state s £ S into a (possibly empty) set of r-successor states, 
r(s) C E. Each transition r is defined by a transition relation Pr(V,V), 
a first-order formula in which the unprimed variables refer to the values 
in the current state s, and the primed variables refer to the values in the 
next state s' . Transitions may be parameterized, thus representing a possibly 
infinite set of similar transitions. 

— C T: A set of just transitions. 

— C C T: A set of compassionate transitions. 

Definition 2 Rnns and Compntations. A run of an fts $ = (y,0 ,T ,J ,C) 
is an infinite sequence of states a ■. s<y,si,S 2 , ■ ■ ■, such that 

— Initiation: sq is initial, that is, sq N 0. 

— Consecution: Eor each j = 0, 1, . . ., Sj+i is a r-successor of Sj, that is, Sj+i € 
r(sj) for some t £ T. We say that r is taken at s, if is a r-successor 
of Sj. 

A computation of an fts # is a run cr of # such that 

— Justice: Eor each transition t £ J, it is not the case that r is continuously 
enabled beyond some point in a without being taken beyond that point. 

— Compassion: Eor each transition r € C, it is not the case that r is infinitely 
often enabled beyond a certain point in <j without being taken beyond that 
point. 

Definition 3 Parameterized Transition System. Let T be the class of all 
fair transition systems, and P = (pi, . . . ,p„) a tuple of parameters with type 
t\,. . . ,tn- Then a parameterized transition system F : tpi x ... x tpn i-^- JE is a 
function from the input parameters to fair transition systems. Given a parame- 
terized fair transition system F, and a list of values oi, . . . , a„, type consistent 
with pi,p 2 , . . . ,Pn, then the instance F(ai, 02 , . . . , a«) denotes the fair tran- 
sition system where all the references to p\,p 2 , . . . ,Pn have been replaced by 

(l\ , d 2 7 • • • 7 Q-n • 

An infinite sequence of states a : sq, si, • • • is a computation of a parameter- 
ized transition system F if cr is a computation of F(a) for some a. Thus the set of 
computations of a parameterized system is the union of the sets of computations 
of all its instances. 
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2.2 Specification Language 

We use linear-time temporal logic (ltl) with past operators to specify properties 
of reactive systems, ltl formulas are interpreted over infinite sequences of states. 
The truth- value of a formula for a given model is evaluated at the initial position 
of the model. We say that a temporal formula holds at a particular state of a 
model if it is true of the sequence which starts at that state. Below we only 
define those temporal operators used in the rest of the example. For the full set, 
the reader is referred to [MP91]. 

Given a model a = sq, si, . . the temporal operators □, O &re defined 
as follows: 

□ p holds at state Sj iff p is true for all states Si, i > j; 
p holds at state Sj iff p is true for some state Si, i > j; 

Qp holds at state Sj iff Sj is not the first state and p holds at state Sj-i; 

□ and ^ are called future operators, while O is a past operator. We will 
refer to formulas that contain only past operators as past formulas. In this paper 
we do not allow temporal operators to appear within the scope of a quantifier. 
A formula containing no temporal operators is called a state-formula or an as- 
sertion. 

Given an fts S, we say that a temporal formula (p is S -valid if every com- 
putation of S satisfies (p, and write S ¥^(p. 

3 Transition Modules and Systems 

A transition system describes a closed system, that is, a system that does not 
interact with its environment. To enable reasoning about individual components 
of a transition system, we define transition modules. A transition system is then 
constructed from interacting transition modules. Transition modules can com- 
municate with their environment via shared variables or via synchronization of 
transitions. 

A transition module consists of two parts: an interface and a body. The in- 
terface describes the interaction between the module and its environment; it 
consists of a set of interface variables and a set of transition labels. We distin- 
guish four types of interface variables. Constants in the interface are often used 
as parameters for the module; they have a fixed value throughout a computa- 
tion. Input variables belong to the environment, they cannot be changed by the 
module. Output variables are owned by the module and cannot be changed by 
the environment. Finally, shared variables can be modified by both the module 
and the environment. 

The transition labels in the interface refer to transitions in the body. Such 
exported transitions can synchronize with other transitions with the same label 
in the environment. The result of synchronization is a new transition whose 
transition relation is the conjunction of the transition relations of the original 
transitions. One transition may have multiple labels, so it may synchronize with 
multiple transitions. 
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The module body is similar in structure to a fair transition system; it has 
its own set of private variables that cannot be observed nor modified by the 
environment. The transitions in the body have to respect the interface: they may 
modify private variables, output and shared variables, but not input variables 
or constants. Similarly, the initial condition cannot constrain the input variables 
or constants. 

To be able to prove properties about modules we associate with each module 
a transition system such that the set of computations of the associated transition 
system is a superset of the set of computations of any system that includes the 
module. Having these semantics for modules allows us to “lift” properties of 
modules to properties of the whole system, that is, if a property has been proven 
valid over a module, then a corresponding property can be inferred for any 
system that includes that module. 

Transition modules can be described directly, by giving its interface and body, 
or they can be constructed from other modules using module expressions. 



3.1 Transition Modnle: Definition 

The basic building block of a transition module system is the transition module. 



Vocabulary We assume that all variables in a transition module description 
are taken from a universal set of variables V, called the variable voeabulary, and 
that all transition labels are taken from a universal set of labels called Tm- 

Definition 4 Transition Modnle. A transition module M = {I,B) consists 
of an interface declaration I = (V,T) and a body B = {Vp,0,T,X,J,C)- The 
interface components are 

— V CV: the set of interface variables, partitioned in four subsets as follows: 

• Vc'. constants, possibly underspecified, which cannot be modified; 

• Vi', input variables, which can only be modified by the environment; 

• Vo', output variables, which can only be modified by the module; 

• Vs', shared variables, which can be modified by both the module and the 
environment. 

— T C Tid: a set of transition labels. The transitions corresponding to these 
labels may synchronize with transitions in the environment. 

A transition module is called elosed if both the set of shared variables and the 
set of exported transitions are empty. 

The components of the body are: 

— Vp-. a set of private variables, which can neither be modified nor observed by 
the module’s environment. 

— 0: the initial condition, an assertion over VpUVo- 
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— T: a set of transitions, specified in the same way as described in Section 2; 
we require that 

Pt ^ v' =v for all r e T 

vev^ 

— A C T X Tid- a transition labeling relation, relating transitions to their labels. 
Note that multiple transitions can have the same label, and that a single 
transition may have multiple labels. We require that the labeling relation A 
relates every label in the exported transitions T to at least one transition in 
T, that is 

yid e T . 3r e T . (r, id) e A 

For internal transitions, i.e., transitions that do not have a label in T, we 
require that they do not modify the input variables, that is, 

Pt ^ l\ v' = V for all r € {r |Vid € T . {r,id) ^ A} 

veVi 

— J CT- the set of just transitions. 

— C CT'- the set of compassionate transitions. 

Modules can be parameterized, to represent, similar to the parameterized 
transition systems introduced in Section 2, functions from the parameters to 
transition modules. 

Definitions Parameterized Transition Modnle. Let M be the class of all 
modules, and P = {p\, . . . ,Pn) a set of parameters with type t\, . . . ,tn- Then a 
parameterized transition module (ptm) M : x . . . x i-4- At is a function from 

parameters to transition modules. 

3.2 Example: Arbiter node 

As described in Section 1, an arbiter is a device that guarantees mutual exclu- 
sion to a critical resource. Figure 1 shows the hierarchical design for an arbiter 
dealing with 2" clients, which repeatedly uses the module ArbiterNode (shown 
enlarged). An ArbiterNode establishes mutual exclusion between two clients: 
its “left” and “right” client. In this section we only discuss the ArbiterNode 
module; in Section 3.7 we will return to the complete arbiter design. 

The two clients of the ArbiterNode can request the grant by setting their 
request bits, reqL and reqR for the left and right client, respectively. If the 
ArbiterNode owns the grant, that is, if the gr bit is set, it can pass the grant 
on to a client by setting the client’s grant bit, grL or grR. The client can sub- 
sequently release the grant by resetting its request bit, which causes the arbiter 
to reset the grant bit (grL, grR) and either give the grant to its other client, or 
release its own grant by resetting req. 

Figure 2 shows the description of the ArbiterNode module in STeP input 
format. In STeP, variables declared as external in, ont, external ont refer 
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Module ArbiterNode : 

external in gr , reqL , reqR : bool 

out req, grL, grR : bool where !req /\ !grL /\ !grR 

Transition RequestGrant Just: 

enable !gr /\ (reqL \/ reqR) 
assign req:=true 

Transition GrantLeft Just: 

enable gr /\ req /\ reqL /\ !grR 
assign grL : =true 

Transition GrantRight Just: 

enable gr /\ req /\ reqR /\ !grL /\ IreqL 
assign grR:=true 

Transition ReleaseLeft Just: 

enable gr /\ req /\ IreqL /\ grL 
assign grL:=false, grR:=reqR, req:=reqR 

Transition ReleaseRight Just: 

enable gr /\ req /\ IreqR /\ grR 
assign grR:=false, req:=false 

EndModule 



Fig. 2. ArbiterNode module. 



to input, output and shared variables, respectively. The keywords enable and 
assign allow a description of the transition relation in a programming-like no- 
tation: the transition relation is the conjunction of the enabledness condition, a 
relation a’ = b for each assignment a := b, andc’ = c for any variable c that 
is not explicitly assigned a new value. 

The left client enjoys a slightly higher priority than the right client: if the 
node has the grant, and both the left and the right client request it, the grant 
will be given to the left client, by transition GrantLeft. On the other hand, the 
node releases the grant after it is released by the right client, even if the left 
client requests it. This is to make sure that the node does not keep the grant 
forever: the grant is given at most once to each client before it is released again. 



3.3 Associated Transition System 

As mentioned before, it is our objective to reason about modules and use the 
results as lemmas in the proof of properties that use these modules. To do 
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SO, we relate modules to transition systems: we define the associated transition 
system of a module, such that the set of computations of the associated transition 
system is a superset of the set of computations of any system that includes the 
module. We say that the set of computations of a module is equal to the set of 
computations of its associated transition system. 

To ensure that the set of computations of a module includes all computations 
of a system including that module, we cannot make any assumptions about 
the environment of the module, except that it will not modify the module’s 
private and output variables, and that it will not synchronize with the module’s 
internal transitions. We model this environment by a single transition, called the 
environment transition, r^nv with transition relation 

: f\ v' =v 

veVcUVoUVp 



where Vc are the constants of the module, and Vg and Vp are its output and 
private variables, respectively. 

Given a transition module M = (I,B), with I = (V,T) and B = 
{Vp,0,T,X,J,C) we define its assoeiated transition system 

Sm. = {Vp UV,0,T* ,J — Texp,C — Texp) 
where T* denotes the set of associated transitions, i.e.. 



/y— * 



3t g Tin 



= Pi 



A f\v'=^ 

veVi 



U Texp U {Te. 



and Texp is the set of exported transitions, i.e., transitions in T, that have an 
exported label 

Texp = {r \3ideT . {T,id) G A} 

Tint is the set of internal transitions, i.e., transitions in T, that have no exported 
label 

Tint = {r I Vfd G T . {T,id) ^ A} 

The transition relation of the internal transitions is modified to account for the 
fact that these transitions, in contrast to the exported transitions, are guaran- 
teed to preserve the values of the input variables, since they cannot synchronize 
with the environment. The fairness conditions are removed from the exported 
transitions, because we cannot make any assumptions about the enabling condi- 
tion of the transitions with which they may synchronize (the enabling condition 
may be false), and therefore we can no longer assume that a just transition must 
eventually be taken as long as the local enabling condition continues to hold. 



Example: The ArbiterNode presented in the previous section has three output 
variables: grL, grR and req, and no private variables. All transitions are inter- 
nal. The associated transition system therefore consists of the module transitions 
shown in Figure 2 and the environment transition with the transition relation 

: grL = grL' A grR = grR' A req = req' 
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Parameterized transition modnles. Parameterized transition modules have 
associated parameterized transition systems: Let M : P At be a parameter- 
ized module, then the associated parameterized transition system 5 m ■. P ^ M 
maps each parameter value p to the transition system associated with M(p). 

3.4 Module Systems: Definition 

We defined the notion of transition modules. In modular verification, however, 
we are not interested in single modules, but rather in a collection of modules 
that, together, describe the system behavior. For this purpose we define module 
systems. 



Vocabulary We assume a universal set of module identifiers Mi^. Let M de- 
note the set of all modules. 



Definition 6 Module System. A module system ^ = (Menv, Mmain) con- 
sists of a module environment Menv : i-4- M and a designated main module 



3.5 Module Systems: Syntax 

Module systems are described by a list of module declarations that define the 
module environment, followed by a module expression that defines the main 
module. The module declarations assign modules, also defined by module ex- 
pressions, to module identifiers. 



Module expressions 

If 5, 5i . . . 5„, are well-formed module expressions, then so are the following: 

— (7, P), a direet module description, defining the interface I and the body B 
of a transition module. 

— id{e), where id is a module identifier, and e is a (possibly empty) list of 
expressions over constant symbols and variables, indicating a referenee to 
another module. 

— (<71 : 5i); . . . ; (<;„ : £n)i where g\ . . .gn are first-order formulas, denoting a 
ease distinetion: This allows to describe differently structured modules for 
different parameter values. 

— (5i II £ 2 )- The parallel eomposition operator merges two modules into one 
module, keeping private variables apart, merging the interfaces, and syn- 
chronizing transitions that have the same label. 

— Hide(V,5), where V is a set of variables, or a set of transition labels. 

The Hide operator removes variables or transition labels from a module’s 
interface. Removing variables from the interface makes them unavailable 
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for reading or writing by the module’s environment. Removing transition 
labels makes the corresponding transitions unavailable for synchronization 
under that label (a single transition may have multiple labels, so it may still 
synchronize under other labels). 

— Rename(/3,£’), where /3 is a variable substitution /3 : V V, or a transition 
label substitution j3 ■ Tu ^ Tid- The Rename operator renames variables 
or transition labels in the interface. 

— Augment(/3, f), where /3 is a mapping from variables to expressions over 
variables and constants. 

The purpose of the augmentation operation is to create new variables in 
the interface that maintain the same value as the corresponding value of 
the expression. To ensure that the module can maintain these values, the 
expression may contain only private and output variables. 

— Restrict(/3,£’), where /3 is a mapping from variables to expressions over 
variables and constants. 

The purpose of the restrict operation is to replace input variables in the 
interface by expressions over other input variables. 



Module Systems 

If £i . . . £n,^main are well-formed module expressions, idi...idn are module 
identifiers and P\ . . . Pn are (possibly empty) lists of formal parameters, then 

^di(Ti) — ^1 i ... i ‘^dn{Pn') — i ^main 

is a well-formed module system. 



3.6 Module Systems: Semantics 

A description of a module system defines both a modular environment Menv 
and a main module. We will first define the semantics of module expressions, 
assuming the existence of a modular environment Menv. The semantics of a 
module system will be defined at the end of this section. 



Module Expressions 

A module expression E denotes a transition module. To be able to resolve ref- 
erences to other modules and to evaluate guards, the meaning of module ex- 
pressions is relative to a module environment Menv and variable environment 
Venv. In the following we assume that these are given. 



Direct descriptions The semantics of module expressions is defined induc- 
tively. As the base case we have the expression that describes a module directly; 
in this case 



1^1 Menv, Venv — {{V,T),{Vp,0,T,X,J,C}) 
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Reference If the expression is a reference to another module, that is f = id{A), 
then the expression is well-defined if the module environment Menv assigns a 
parameterized module M to id, and A is type consistent with M’s parameters. 
Then: 

|id(A)J]V[env,Venv — h/I ( [^] Venv ) 



Definitions and Conventions Before we define the semantics of the other op- 
erations we will introduce some definitions and conventions. To ensure that the 
result of composing two modules is again a transition module, we have to impose 
some conditions on their interfaces, in particular that they do not make incon- 
sistent assumptions about their environments. We also require that transitions 
that will be synchronized in the composition have the same fairness conditions. 

Definition 7 Compatible Modnles. Two modules are compatible if: 

1 . Their interfaces I\ = (Vi,Ti) and I2 = are compatible, that is, an 

output variable of one module is not a shared or output variable of the other 
module. 

2 . Their exported transitions Texp,i and Texp,2 have compatible fairness condi- 
tions. That is, for n € Texp,i and T2 G Texp,2 with the same label, we require 
that Ti G f 7 i ■<-> T2 G 1T2 and t\ GCi -f->T2 GC2- 

In the definition of the operators we frequently will have to rename part or all 
of the variables. In the definitions we will use the following convention. Given an 
expression E{v\, . . . ,Vn) and a variable renaming function a : V V, we denote 
by a{£(v\, . . . ,u„) the expression £{a(vi), . . . ,a(v2))- We assume that for every 
u G V if a maps v into v, then it also maps v' into v' . We will occasionally 
write a{T) to represent the set of transitions such that all variables and primed 
variables in the transition relation are renamed according to a. 



Case distinction Let be well-defined module expressions denoting the 

modules 

I^il ]VIenv,Venv7 • • • 5 ]VIenv,Venv — Mi,...,M„ 

and gi,. . . ,gn be first-order formulas. The expression gi : £i ... gn : £n well- 
defined if 

— Ml . . . M„ have identical interfaces, and 

— the free variables of gi ... gn do not appear in the input, output, shared or 
private variables of Mi . . . M„, and 

— for every variable environment Venv there exists exactly one i, 1 < i < n 
such that Ififjlvenv is true. 

If well-defined, the module expression gi ■. £i . . . gn ■ En denotes the module 

{ Ml if [51] Venv is true 
• • • 

M„ if[ 5 „] Venv is true 
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Parallel composition Let £\ and £2 be two well-defined module expressions 
denoting 

I^l]Menv,Venv = Ml = ((Vi,Ti), , 0i , 7l , Ai , , Cl )) 

IC2]Menv,Venv = M 2 = {{V2,T2), (lp,2 , ©2 , ?2 , A 2 , 1/2 , C 2 )) 

Then |Ci || C2]Menv,Venv IS well-defined if the interfaces (Vi,Ti) and (V2,T2) 
are compatible. If well-defined, the expression \£\ || C2]Menv,Venv denotes 

\£l II C2lMe„v,Ve„v = {{V, T) , {Vp, 0 , T , X, J , C)) 

where 

— Interface Variables: V = Vi U V2- The partitioning of V into input, output, 
and shared variables is shown in Figure 3, where X denotes combinations 
that are not allowed. 





V2 € 

Vi, 2 K,2 Vs, 2 


Vi,i 
wi € Vo,i 
Vs,l 


Vi K Vs 

Vo X X 

K X 14 



Fig. 3. Combination of interface variables. 



— Exported transitions: T = Ti U T2 

— Private variables: Since we do not require and Vp^2 to be disjoint, we 
have to rename private variables to ensure that private variables of different 
modules are not identified with each other. To do so we let Vp be the disjoint 
union of Vp^i and Vp^2 and define ai to be the mapping that maps every 
variable from Vp^i into the corresponding variable of Vp, and maps all other 
variables to themselves; Q!2 is defined similarly. We assume that Vpf]V = 0. 
So we have 

Vp = Vp^iUVp ^2 = cii{Vp^i) U a 2 {Vp^ 2 ) 

— Initial Condition: Let a, be the renaming functions defined before. The initial 
condition of the composition is the conjunction of the two initial conditions 
after appropriately renaming the private variables: 

0 = ai{ 0 i) A 0:2(02) 

— Transitions: The new set of transitions is given by 

r = Tl,pUT2,pUTsyn 

where 7i,p, or Mi’s private transitions, are the transitions from Mi that do 
not synchronize with transitions of module M2, and similarly for ?2,p, and 
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Tsyn contains the result of synchronizing those transitions in Mi and M 2 
whose labels appear in both interfaces. Variables in the transition relations 
are renamed according to the renaming functions ct, as before. For internal 
transitions, a conjunct is added to the transition relation stating that the 
transition does not modify the private variables originating from the other 
module. Formally, for (i,j) = (1,2), (2,1): 

= {''■ I 3r* G 7i . G Tid ■ {{T*,id) G A* A id ^ idgyn) Pt = p'4 } 



where is the new transition relation, taking into account the preserva- 
tion of the private variables of the other module, that is, p^f, = ai{pr*) A 
ct jiAvev- where idsyn is the set of labels that are exported by 

both modules, that is 

idsyn = Tj n T2 

The set of synchronized transitions is described by 

Bid G idsyn, Ti G Ti,T2 G 75 . 

(Ti,id) G Ai A (T2,id) £ X2 A Pr = (aiipr-,) A 0:2 (Prs)) 

Note that if a transition r has a label that synchronizes and a label that 
does not synchronize, the composed module will contain the synchronized 
transition as well as the unsynchronized version. 

Labeling function: A synchronized transition has the same label as its con- 
stituent transitions, that is, for id G syn 




(ti , id) G Ai A (t2 , id) G A2 
Kyn = {r, id) I 3ti , T 2 . I A 

Pr = (o;i(Pri) A 0:2 (Prs)) 



and unsynchronized transitions keep the same label, that is, for id ^ syn 

Kn=l(r,id) 3t* . 



{{r*,id) £ Xi A Pr = pI’A 



{{T*,id) e X2 Apr = p4) 



Finally, 



A — ^syn hJ A^ 



Fairness conditions: Since we are assuming that transitions can synchronize 
only if their fairness conditions are the same, we can take the union of the 
two sets, accounting for the renaming of the transition relations: 



J — OL\lyJi) U a2{Lf2) 
C = o:i(Ci) U 0 : 2 (C 2 ) 
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Hiding Let f be a well-defined module expression denoting 
I^lMenv.Venv = {I = {V,T),B = {Vp, . . .)) 
and X a set of variables. Then 

[Hide(X,f)]Me„v.Ve„v = {{V ~ X,T), {Vp UX ,.. .)) 
If X is a set of transition labels then 

[Hide(X, f)lMe„v.Ve„v = {{V, T - X) , B) 



Renaming Let f be a well-defined module expression denoting 

|^|]VIenv,Venv — {{V,T),{Vp,0,T,X,J,C)) 

and /3 : V V a function that maps variables into variables, a is a renaming 
on the private variables that ensures that Vp and V are still disjoint after the 
renaming. If for some interface variable v G V and private variable w G Vp, 
l3(v) = w, then a(w) = z, where 2 : is a new variable, not present in the interface 
or in the private variables. Then 

|Rename(/3, ^)J]vienv,Venv — 

{{l3{a{V)),T),{Vp,l3{a{0)),l3{a{T)),X,l3{a{J)),l3{a{Cm 

If /3 : Tid 1 -^- Tid is a function that maps transition labels into transition 
labels, then 

[Rename(/3,f)]Me„v.Ve„v = {{V, l3{T)), {Vp,0,T, l3{X), J ,C)) 
where {r,id) G I3{X) iff Bid* . id = l3{id) A {r,id*) G X. 



Augmentation Let f be a well-defined module expression denoting 

|^|]VIenv,Venv — {{V,T),{Vp,0,T,X,J,C)) 

and /3 a partial function mapping variables into expressions over output variables. 
Again, a is a renaming of the private variables that keeps V and Vp disjoint. 

[Augment(/3,f)]Me„v.Ve„v = {{V U dom{l3),T), {a{Vp),0* ,T* , X, J* ,C*)) 

where the variables in dom{P) are added to the output variables. A constraint 
on the new variables is added to the initial condition: 

0* = a(0) A /y V = /3(v) 

vEdom(0) 

and all transition relations are augmented to update of the newly added vari- 
ables, that is 



/y-* 



Bt gT ■ Pt* 



o^(Pt) a f\ v' 

vEdom{P) 




J* and C* are defined analogously. 
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Restriction Let f be a module expression denoting [f]Menv,Venv = 
{iy, T), {Vp,0, T, A, J, C)), Vn a set of fresh variables, and /3 a partial function, 
mapping input variables into expressions over variables in Vn- Then 

|Restrict(/3, ^)]]V[env,Venv — 

{{{V -dom{l3)UVny)AaiVp)y{a{0)),l3{a{T)),X,l3{a{J)),l3{a{C)))) 

where the variables in Vn are added to the input variables. /3 is applied to the 
initial condition and all transition relations. As before, a denotes the renaming 
of the private variables necessary to keep Vp and V disjoint. 

Module Systems 

A module system is described by a list of equations of the form id{Pi) = Ei 
defining the modular environment, followed by an expression defining the 

main module. The modular environment Menv is defined as follows, 

( f idi I y XX . 1^1 ] IVIenv* , Venv[Pi \X] \ 

A Menv* . < id 2 ^ XX . [^ 2 ]MenV.Venv[P 2 \X] 

where Ifp denotes the least fixpoint. The main module is the interpre- 
tation of in this environment: 

^main ~ [^mainWenv.Venv 

In the remainder we assume that a given module system is well-defined, that 
is, the environment has a unique least fixpoint. 

3.7 Example: Arbiter 

Continuing the arbiter example, we now describe the full hierarchical arbiter. 
The Arbiter module is composed from an ArbiterTree and a module named 
Top that gives and takes grants. ArbiterTree is a tree of ArbiterNodes that 
were defined in Figure 2. Both Arbiter and ArbiterTree are parameterized by 
their height h. 

An ArbiterTree of height h communicates with 2^ clients, who can each 
request access by setting a request bit. One client at a time will be given access 
to the resource, and the Arbiter informs the client about its granted access by 
setting the client’s grant bit. The leafs of the tree are defined by an expression 
over ArbiterNode (++ denotes bit-vector concatenation): 

Leafnode = Hide(grL, grR, 

Augment (grants = grL ++ grR, 

Restrict(reqL = requests [0], reqR = requests [1], 
ArbiterNode)) 
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The Restrict operation instantiates its input variables reqL and reqR with the 
actual request bits of the clients, and the Augment operation combines the two 
output variables grL and grR into a single variable grants. After the augmen- 
tation, the output variables grL and grR can be hidden. Thus the interface of 
LeafNode is 



Vi'. gr: bool 

requests: bitvector[2] 

Vo'. req: bool 

grants: bitvector[2] 



The parameterized module ArbiterTree is described by the module expression 



ArbiterTree(h)= 
h = 1: LeafNode 

/i > 1: Hide(grantsL , grantsR, grL, grR, reqL, reqR, 
Augment (grants = grantsL ++ grantsR, 

(Restrict(requests = requests [0 : — 1], 

Rename(gr = grL, req = reqL, grants = grantsL, 
ArbiterTree (h-1))) 

ArbiterNode 

Restrict(requests = requests [2^~^ : 2^ — 1], 

Rename (gr = grR, req = reqR, grants = grantsR, 
ArbiterTree (h-1)))))) 



Each instance has the interface 



V): gr: bool 

requests: bitvector[0..2^ — 1] 

Vo'. req: bool 

grants: bitvector [0..2^ — 1] 



For any given h, the parameterized module ArbiterTree describes a tree 
of height h. The module expression is illustrated by Figure 4, which shows the 
three modules that are composed and their input and output variables. Note 
that the Augment and Restrict operations are necessary to obtain identical 
interfaces for the cases h = l and h> 1. 

We complete our description of a hierarchical arbiter by defining the Arbiter 
module, the main module of the system. An ArbiterTree of height h guarantees 
mutual exclusion among the 2^ clients, but the tree will only give a grant to 
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ArbiterTree(h-l) ArbiterTree(h-l) 



Fig. 4. Composition of ArbiterWode and a left and right subtree. 



Module Top: 

out gr : bool where gr=false 

external in req :bool 

Transition Grant Just: 
enable ! gr /\ req 
assign gr:=true 

Transition Retract Just: 
enable gr /\ !req 
assign gr:=false 

EndModule 



Fig. 5. Module Top. 



some client if it has received the grant from its parent entity. This parent entity 
is represented by the module Top, shown in Figure 5. 

Top’s only actions are to award a grant when one is requested and retract a 
grant when one is released. 

The main module is described as an instance Arbiter(/i) of the parameterized 
Arbiter module, which is defined as follows: 
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Arbiter (h) = Hide(req, gr, (ArbiterTree(/i) || Top)) 
and has interface 

V): requests: bitvector [2^] 

Vo'- grants: bitvector[2^] 



4 Deductive Verification 

In the previous sections we have developed a formalism for modular system 
descriptions. In this section we now move on to the verification of such systems. 
We begin with an introduction to available formalisms for the global verification 
of transition systems in Section 4.1. Next, we extend the notion of (global) 
program validity of temporal formulas to modular validity. For systems with 
non-recursive descriptions we give a proof rule in Section 4.2. While this is a 
feasible approach to establish the modular validity, we are interested in methods 
that make use of the structure given by module descriptions. In Section 4.3 
we discuss how modular properties can be inherited by other modules, and in 
Section 4.4 we define module abstraction. Finally, in Section 4.5, we discuss the 
verification of recursively described modules. 

4.1 Verification of Transition Systems 

The classical deductive framework for the verification of fair transition systems 
is based on verifieation rules, which reduce temporal properties of systems to 
first-order or simpler temporal premises [MP95b]. 



For a past formula (p, 

1. iS N 0 — )■ 

2. ^NMTsM 
5 1= □ 



Fig. 6. Invariance rule INV. 



Figure 6 presents the invarianee rule, iNV, which can be used to establish 
the iS-validity of formulas of the form Dp, where p is a past formula. Here 
{<p} Ts {<p} stands for \3{Pt f\ ^ p>') for all transitions r € Ts- An invariant 
tp may not be inductive (that is, it may not be preserved by all transitions), 
in which case it can be necessary to find a stronger, inductive invariant that 
implies p>, and prove it first. An alternative approach is to first prove a set of 
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simpler invariants , ...,Pk and then use them to establish the more complicated 
invariant ^p. 

Graphical formalisms can facilitate the task of guiding and understanding a 
deductive proof. Verification diagrams [MP94, BMS95] provide a graphical rep- 
resentation of the verification conditions needed to establish a particular tem- 
poral formula over a transition system. In this paper we will use generalized 
verification diagrams [BMS95, BMS96] to prove response properties. 



Generalized Verification Diagrams A verification diagram is a graph, with 
nodes labeled by assertions and propositions and edges labeled by sets of tran- 
sitions, that represents a proof that a transition system S satisfies a temporal 
property (p. A subset of the nodes is marked as initial. First-order verification 
conditions associated with the diagram prove that the diagram faithfully rep- 
resents all computations of S. The edge labeling is used to express the fairness 
properties of the transitions relevant to the property. 

Some of the first-order verification conditions generated by the diagram are 
as follows (for a full description, see [BMS95]): 

— Initiation-. At least one initial node satisfies the initial condition of S. 

— Consecution-. Any r-successor of a state that satisfies the assertion of a node 
n, must satisfy the assertion of some successor node of n. 

— Fairness-. If an edge is labeled with a transition, that transition is guaranteed 
to be enabled. 

To show that the diagram satisfies can be checked algorithmically, by view- 
ing the diagram as an automaton (considering its propositional labeling only) 
and checking that its language is included in the language of the formula. Multi- 
ple diagrams can be combined such that the intersection of their (propositional) 
languages is included in the language of the formula [BMS96] . 



4.2 Verification of Modular Properties 

The goal of modular verification is to reduce the task of verifying a system as 
a whole to the verification of modules. In this section we will define modular 
validity and we will describe a proof rule to establish modular properties. 

We use the notion of associated transition systems, introduced in Section 3.3, 
to define the modular validity of a temporal property: 

Definition 8 Modular Validity. We say that a property (p is modularly valid, 
or M-valid for a module M, denoted by 

M t= 

if (p is valid over the transition system 5 m associated with M. 

The set of computations of the associated transition system includes any com- 
putation of a system that contains the module. A modular property is therefore 
valid over any system that contains the module. 
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Definition 9 Modnle descriptions in normal form. A module description 
is in normal form if it is either a direct description or a case distinction where 
all subexpressions are direct descriptions. 

Figure 7 presents a proof rule that reduces modular validity to a set of system 
validities, based on a case distinction on the guards. The rule requires the module 
description to be in normal form. Note that any non-recursive description can 
be transformed into normal form, by first expanding the references and then 
reducing module expressions to direct descriptions. 



For a module M, described in normal form 
gi : Ml . . . Qn ■ M2 
and a temporal formula tp, 

>S|[Miii ^ 9i ^ <P for i = 1 . . . n 

M\=(p 



Fig. 7. Modular validity rule mod. 



4.3 Property Inheritance 

Rule MOD of Figure 7 allows us to prove the modular validity of properties. The 
obvious limitation of the rule lies in the requirement that the module description 
be in normal form: transforming the description into normal form means that 
all structural information is lost. The inheritance proof rules shown in Figure 8, 
by contrast, make explicit use of this structure. Property inheritance allows us 
to use properties that were previously proven to be valid over other modules as 
lemmas in a modular proof. 



Example: In the Arbiter example, assume we have shown that ArbiterNode 
establishes mutual exclusion between its two clients: 

ArbiterNode N D ~'(grL A grR) 

LeafNode is described in terms of ArbiterNode. It inherits the corresponding 
property 

LeafNode t= □ -i(grants [0] A grants [1]) 
which is in turn inherited by ArbiterTree(l): 



ArbiterTree(l) N □ -i(grants [0] A grants [1]) 
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For module expressions M, N, a mapping /3 on variables, 
a mapping t on transition identifiers, and a temporal formula p, 


[M] 




m 






[M||A] t=aiv(¥^) 






|M] \=p 




[M] 


[Hide(M,X)l \=<p 




[Hide(M,T)l \=p 






[M] \=p 




m t=‘P 


[Rename(M, /3)] N/3(a(i^)) 




[Rename(M, f)] 1= ip 






|M] 




m 


|Augment(M, /3)] ^ a{ip) 




[Augment (M, /3)] a{p) 






[M] 




[M]([A]) 


[Restrict (M,/3)] t= /3(a(i^)) 




[M(A)1 N 



[Mj\ 1= ->■ y for i = 1 . . . w 

\gi \ Ml . . . Qn ■■ Mn\ N (p 



Fig. 8. Property inheritance for various operators. 



The inheritance rules for the different module operators in Figure 8 can be 
justified by showing that a refinement mapping [AL88] exists between the tran- 
sition systems associated with the modules given in the premise and those in the 
conclusion. We consider refinement mappings that are induced by a substitution 
relation: 

Definition 10 Refinement. Let and S'" be two transition systems, called 
the abstract and concrete transition system, respectively, and a : E{V'") 

a substitution relation mapping variables from to expressions over variables 
in S'" . The transition system S'" is an cr-refinement of 5^, denoted S'" Qa S^, 
if for every computation a'" of S'" there exists a computation of S^ such 
that a'" = a{(7^), where a is extended to a mapping on computations in the 
obvious way. 

The proof rule in Figure 9 states that if S'" is an a-refinement of S ^ , prop- 
erties of S^ are inherited by S'" . 

Justification: Assume S^ and S'" Qa S^. Let a'" be a computation 
of S'" . By the definition of refinement, there exists a computation of S^ 
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For two transition systems 5i , 1S2 
and a temporal formula ip, 

mi. 

IH2. 

S'^ N a{if>) 



Fig. 9. General inheritance rule g-inh. 



such that = a{(T^). Because 5^ N we have in particular t= (p, and thus 
a(a^) ^ a{(f) as required. 

Figure 10 presents a proof rule to establish a refinement relation between 
two transition systems. The rule assumes the existence of a surjective transition 
mapping 7 : T*" that maps each concrete transition to a corresponding 

abstract transition with the same or weaker fairness condition. 



For two transition systems S'"' , and a surjective function 7 : T'"' i-t T^, 

such that 6 j'^ implies 7(r‘^) ^ 

and - { J'^ U C^) implies 7(r") C^, 

Rl. 0^ a(G^) 

R2. p^c -t a{p^(^c-^) for every t'"' 6 T'"' 

R3. a(En^^f^c)) — )■ En^c for every t'"' 6 T'"' with jir'"') 6 U 
5^' Ca 5^ 



Fig. 10. Basic refinement rule b-ref. 



Justification: Assume that a'" = So,s \, ... is a computation of S'" . We have 
to show that the premises ensure there exists a corresponding computation 
(T^ = Q!(so)m(si)j • • • of the abstract system S^. By Rl and sq ^ , we have 

Q!(so) For every two consecutive states Sj,s,+i in a'", the transition re- 

lation of some concrete transition must be satisfied; by R2, the transition 
relation of the corresponding abstract transition is satisfied for states 

Q!(sj), Q!(sj+i). It remains to show that is fair. Since 7 is onto, there exists 
for every fair transition a transition t'" with equal or stronger fairness, and 
thus by R2 and R3, r^’s fairness conditions can only be violated if r*" ’s fairness 
conditions are violated. 

Clearly, refinement under a transition mapping 7 , denoted by is a 
stronger property than refinement alone. However, it suffices for our purposes, 
and results in simpler verification conditions than, for example, the more gen- 
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eral proof rule presented in [KMP94], where proving refinement is reduced to 
the proof of a number of temporal properties. 



4.4 Module Abstraction 

It is often the case that some components of a module are irrelevant to the 
validity of a property to be proven. Module abstraction allows us to ignore some 
or all of the details of those components in the proof, thus simplifying the proof. 

The idea is that in a module expression, subexpressions can be replaced by 
other expressions denoting simpler modules, provided those modules modularly 
simulate the original module, that is, the new module can simulate the original 
module in any expression. 

Definition 11 Modular simulation. A module |M^] simulates a module 
denoted by C if for all modular expressions S{M), 

%(MC)1 C 5j£(ma)| 

A proof rule to establish modular simulation between two modules is shown 
in Figure 11. 

Justification: Consider two modules and [M^] with identical interface 

I. Assume a surjective transition mapping 7 : T*" between the sets of 

transitions that fulfills the condition SI - S3 (which are identical to the premises 
R1-R3 in rule b-ref, with a being the identity) and that is consistent with the 
transition labeling, expressed by premises S4 and S5 respectively: each exported 
label of a concrete transition r is also a label of 7 (r), and if a concrete transition 
r has an internal label, then so does 7 (r). 



For two modules M'^, with a common interface, 

and a surjective function 7 : T'"’ i-t T^, 

such that 6 j'^ implies 7 (r‘^) ^ 

and 6 T'^’ — { U C^) implies 7 (r‘^) ^ U 



51. 

52. p^c y 

53. — )■ En^c 

54. V/ 6 T . A^(r^,0 
3/C ^Tu-T . 

55. 



■>A^(7(t^),/) 



31^ eTid-T . \^{^{t^),1^) 



M^' C M"' 



for every 6 T'^ 

for every 6 T'^ with 7 (r'^) 6 U 

for every 6 T'^ 

for every 6 T'^ 



Fig. 11. Modular simulation rule m-sim. 
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We show by induction on expressions that C For the base 

case we have to show 5'|mc| Q As the modules [M^] and [Me] have 

identical interfaces, we can extend 7 to a transition mapping 7 ' on the associated 
transition systems as follows: 



7'(r) 



^ if T — 'Tenv 

t' ii Pr = Pto/\ a ^ ^ P^' ^ P'fi'^o) A f\ V =v' 

v^Vi v^Vi 

for some transition tq G 7]mc]- 
r' if Pr = Pro and Pr> = p^(ro) 
for some transition tq G 7]mc]- 



For the inductive step, for each of the operations we can show that given 
\M^\ □'>' |M^], there is a transition mapping 7 ', such that \£{M^)\ □'>' 
\£{M^)\. Hence, [M*^] □'>' [M^] implies that there is a transition mapping 
7 ", such that 5 '|£(mc)j 5'|£(M'^)J- 

The proof rule m-inh in Figure 12, a specialization of the general proof in- 
heritance rule shown in Figure 9, allows us to replace modules in an expression 
by simpler modules that simulate them. 



For modular expressions M,N, and £{M), 
Ml. [£{N)j 

M2. [M| □ [jV| 

l£{M)j t= 



Fig. 12. Modular inheritance proof rule m-inh. 



Interface Abstraction For each class of modules with the same interface there 
is a largest element with respect to the simulation preorder, called the interface 
abstraction, which can be generated automatically. 

Definition 12 Interface Abstraction. Let M = {I, B) be a module with in- 
terface I = (V,T). The interface abstraction of M is the module Am = (I,B*) 
where B* = {V; = 0,0* = true,T* = {rJ,A* = {rj x (T U {Vo.,}), = 

0,C* = 0) 

The interface abstraction relies solely on information given by the interface. 
Using the transition mapping 

( Ta if 3 / G Tm . Xm(t,1) 

i{t) “ 1 with Pr* = Pra A A V = v' otherwise 
I veVi 
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it is easy to show that M C Am- The transition can simulate any transi- 
tion in B. The labeling function covers all exported transitions, and the proxy 
label, which is not exported, ensures that in any composition there is a non- 
synchronizing transition. 



4.5 Induction for Recursive Descriptions 

A natural way to prove properties over a recursively defined module is by in- 
duction on the parameter value. Let -< be a well-founded order over the domain 
T> of the parameters of a module M. The principle of well-founded induction is 
formulated as follows: 

To show that M(1A) ^ ip {X) for all X € V, it suffices to show that for 
an arbitrary value X G T> 

M(A) 1= ip{A) for all A -< X (IH) 
implies 

M(X) \-ip{X) 

The antecedent is called the inductive hypothesis, and the consequent is 
called the conclusion of the inductive step. 

For unknown parameter values the transition system associated with a recur- 
sively described module cannot be computed directly. Module abstraction, e.g., 
interface abstraction, can be used to derive an abstraction with a non-recursive 
description. 

5 Verification of the Arbiter 

The two properties we want to prove about the arbiter system are mutual exclu- 
sion: no two clients can hold the grant simultaneously, expressed by 

mux{h) : □(Vi, j : [0..2^ — 1] . (grants[i] A grants[j]) i = j) 

and eventual access: any client who requests a grant will eventually get a grant, 
expressed by 

acc(h) : G(Vi : [0..2^ — 1] . requests[i] ^grant[i]) 



5.1 Mutual exclusion 

The Arbiter system was formally specified in Section 3.7, as a composition of 
ArbiterTree and Top. By the property inheritance rules, to prove 

Arbiter(/i) 1= mux{h) 

it is sufficient to prove 



ArbiterTree(/i) N mux{h) 
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The recursive description of ArbiterTree suggests a proof by induction. For the 
base case we have to show 



ArbiterTree(l) ^ mux{l) 

which, using the definition of ArbiterTree for h = 1, the definition of LeafNode 
and the property inheritance rules can be reduced to the proof of 

ArbiterNode N □ ~'(grL A grR) 

This property is easily established by applying the invariance rule to the associ- 
ated transition system of ArbiterNode. 

By the induction principle, to prove for /i > 1 

ArbiterTree(/i) N mux{h) 

we may make use of the inductive hypothesis, for any h* < h, in particular 
h* =h-l: 

ArbiterTree(/i — 1) N mux{h — 1) 
and thus, by the property inheritance rules, we inherit 
ArbiterTree(/i) N □(Vi,j : — 1] . (grants[i] Agrants[j]) i = j) 

ArbiterTree(/i) 1= □(Vi, j : — 1] . (grants[i] A grants[j]) i = j) 

for the left and right subtree respectively. The two properties express that each 
subtree establishes mutual exclusion among its set of clients. Unfortunately, they 
do not establish mutual exclusion for the tree itself: they do not prohibit the case 
in which both subtrees simultaneously have given out a grant. To rule out this 
case, we establish two additional properties. The first property states that no 
client holds a grant unless the tree holds a grant. This property only holds of the 
ArbiterTree if we assume that its environment does not retract a grant before 
the ArbiterTree releases the grant. Thus we formulate this as an assumption- 
guarantee property: 

Assumption: 

ArbiterTree(h) N ^ (1) 

' ^ Guarantee: ' ^ 

□ -igr {\fi : [0..2^ — 1] . -igrants[i]) 

The second property states that only one of the two subtrees can hold the grant, 
expressed by 

ArbiterTree(/i) N □ ->(grL A grR) 

The latter property is inherited directly from the same property proven earlier 
for the ArbiterNode. From the first property, by the property inheritance rules, 
we inherit 

/ G(0(grL A reqL) -)• grL) \ 

ArbiterTree(/i) 1= [ j 

y □ -igrL {\fi : [0..2^“^ — 1] . -igrants[i]) J 
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/ □(0(grR A reqR) ->• grR) 

ArbiterTree(/i) N [ 

yD-igrR (\/i : — 1] . -igrants[i]) 

The assumptions are discharged by proving 

ArbiterNode N Q(Q(grL A reqL)) — )• grL (2) 

and 

ArbiterNode N □(0(g^R ^ (3) 

using the invariance rule. These properties are inherited directly by 
ArbiterTree(h). 

It remains to prove (1). This property is again established by induction. The 
case /i = 1 is proved using the invariance rule. For the case h > 1 we need, in 
addition to (2) and (3), the auxiliary property that a client of a node can have 
the grant only if the node owns the grant and has not released it yet, expressed 
by 

Assumption: 

ArbiterNode 

Guarantee: 

□ ((grL V grR) (gr A req)) 

This property is readily established using the invariance rule, and the assump- 
tions are again discharged using (2) and (3). 

5.2 Eventual Access 

To show accessibility for all clients of the arbiter system, we expect we have to 
make some assumptions on the environment, for example, that clients will even- 
tually release a grant. However, rather than trying to identify these assumptions 
up front, we choose to discover them in the course of the proof, and we will add 
them to the property as appropriate. As it is more convenient to do the proof 
at the level of the ArbiterTree rather than for the arbiter system, assumptions 
about the parent of the ArbiterTree (called the server) are added as well. These 
will be discharged at the end by the Top module. 

To show 

Arbiter(/i) h acc(h) 

it suffices to show 

ArbiterTree(/i) N acc{h) (4) 

A proof by induction yields as the base case 

ArbiterTree(l) N acc(l) 

which, by the property inheritance rules can be reduced to 

ArbiterNode 1= □(reqL ^ grL) (5) 
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and 



ArbiterNode N □(reqR ^ grR) 



(6) 



Figure 13 shows a generalized verification diagram to prove (5). It represents the 
desired fiow of the module that establishes the property. The initiation conditions 
(all initial states are covered by the diagram) and the fairness conditions (the 
assertions on nodes with outgoing labeled edges imply the enabling condition 
of the corresponding transition) are readily established. However, consecution 
(every r-successor of an assertion is covered) does not hold, for example it fails for 
node rii for the environment transition. Since gr and reqL are input variables of 
ArbiterNode, the environment transition may modify them arbitrarily. However, 
if we assume that the parent (server) does not retract a grant before it is released, 
expressed by 

□ (0(gr A req) — )• gr) (server) (7) 



and that the (right) client does not retract a request before it receives a grant. 



□ (0(-igrR A reqR) ^ reqR) (client) (8) 



the consecution condition holds for m . For the consecution condition of ri 2 we 
need to assume that the right client does not request a grant before the previous 
one is retracted. 



□ (0(grR A -ireqR) -ireqR) (client) (9) 

and for the consecution of node ri 4 we assume that the parent does not give a 
grant unless it is requested. 

□ (0(-igr A -ireq) — )• -igr) (server) (10) 

Additional assumptions are necessary to ensure progress. The fairness of 
ReleaseRight, RequestGrant and GrantLeft ensure progress from nodes ri 2 , 
ri 4 and rig, however no progress is guaranteed from nodes rii, ris and ris (note 
that no progress is required from no or ny, because in no the antecedent of our 
property is false, while in ny the goal is true). Progress from m requires the 
(right) client to eventually release the grant: 

□ (grL ^ ^(-ireqL V -igrL)) (client) (11) 

To guarantee progress from ns and ns we have to assume that the server will 
eventually retract the grant when it is released, 

□ (req ^(gr V -ireq)) (server) (12) 

and that the server will eventually give a grant when one is requested, 

□ (-ireq — >■ ^(-igr V req)) (server) (13) 

The proof of (6) is similar; it generates the same assumptions for the server 
and the symmetrical asssumptions for the clients. 
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Fig. 13. Verification diagram for property (5) 
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Generalizing these assumptions about the ArbiterNode clients to the clients 
of an ArbiterTree of height h we get, 

clients{h) : 

yi : [0..2^ — 1] . □(0(-igrants[i] A requests[i]) — )• requests[i]); 

\fi : [0..2^ — 1] . □(Q(grants[i] A -irequests[i]) — )• -irequests[i]); 

\/i : [0..2^ — 1] . □(grants[i] ^(-irequests[i] V -igrants[i])) 

We now weaken our accessibility property to include the assumptions: 

ArbiterTree(/i) N server A clients{h) acc(h) (14) 



where server stands for the conjunction of assumptions made about the parent: 



server : 



□ (0(gr A req) -)• gr)A 

□ (©(“■gr A -.req) ->• -.gr)A 

□ (-.req 0(-.gr V req))A 

□ (req ->• 0(gr V -.req)) 



To prove the induction step, we make use of the inductive hypothesis for 
h* =h-l, 



ArbiterTree(/i — 1) N server A clients{h — 1) acc(h — 1) 
which is inherited by ArbiterTree(Zi) as 

ArbiterTree(Zi) N serverL A clientsLih) accL{h) 



and 

ArbiterTree(Zi) N server^ A clients n{h) accjiih) 

where accL and accR stand for accessibility for the clients 0 . . . 2^^“^) — 1 and 
2^“^ ... 2^ — 1, respectively, 

accL{h) : \li : [0..2^“^ — 1] . □(requests[i] ^grants[i]) 
accii(h) : \/i : [2^“^..2^ — 1] . □(requests[i] ^grants[i]) 

Similarly, clients L^h) and clients r refer to the assumptions made about the 
clients 0 . . . — 1 and 2^“^ ... 2^ — 1, respectively; serverR stands for the 

server assumptions made by the left subtree: 



serverR : ArbiterTree(/i) 1= 



□ (0(grL A reqL) -)• grL)A 

□ (©(“■g^L A -.reqL) -.grL)A 

□ (-.reqL ^(-.grL V reqL)) A 

□ (reqL -)• 0(grL V -.reqL)) 



that is, req and gr are replaced by reqL and grL. Similarly, serverR stands for 
the server assumptions made by the right subtree. It is easy to see that 



ArbiterTree(Zi) N clients{h) clients r^Ii) A clientsR{h) 
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ArbiterTree(/i) 1= accL{h) A accjiih) acc(h) 

Thus it remains to discharge servevL and serverR. For servevL we show 



ArbiterTree(/i) 1= Q(0(grL A reqL) grL) (15) 

ArbiterTree(/i) N □(0(~'g^L A -ireqL) ~'grL) (16) 

ArbiterTree(/i) 1= server □(-reqL ^(-igrL V reqL)) (17) 

ArbiterTree(/i) N server A clients{h) — >■ □(reqL ^ g^L) (18) 



Property (15) is identical to (2), which was established before. We show (16) by 
applying INV to the corresponding ArbiterNode property. Property (17) can be 
reduced to 



ArbiterNode N D(0(g^ ^ ^®^) g^) □(-'reqL ^(-igrL V reqL)) (19) 

which is proven by the generalized verification diagram shown in Figure 14. The 
(server) assumption □(0(g^^^®q) ^ g^) is necessary to ensure that in node no 
gr is preserved by the environment transition. 




Fig. 14. Verification diagram for property (19). 



To show property (18) we make use of property (5), which was proven un- 
der the assumptions (7)-(13). The server assumptions, (7), (12), and (13) are 
discharged immediately by server in the antecedent. Thus it remains to show 

ArbiterTree(/i) N server A clients{h) — >■ □(0(~’g^R'^ reqR) — )• reqR) (20) 

ArbiterTree(/i) N server A clients{h) — )• □(Q(grR A -reqR) — )• -reqR) (21) 

ArbiterTree(/i) 1= server A clients{h) — >■ □(grL — )• ^(-reqL V -igrL)) (22) 

Property (20) is shown by case analysis. For h = 1 the consequent is directly 
implied by clients(l). For the case h > 1 we prove 

ArbiterNode N □(0(“'g^ ^ ^®^) ^®^) (23) 
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using the invariance rule; the desired property is then inherited from the right 
child. Property (21) is proven in the same way, by proving 

ArbiterNode N □(0(g^R'^ ->reqR) -ireqR) (24) 

The proof of (22) proceeds in a similar fashion except here we need to use 
induction, where both the base case {h = 1) and the inductive step {h > 1) rely 
on the following ArbiterNode property 

Assumption: 

niOi^gr'L A reqL) reqL); 

□ A reqR) -)• reqR); 

□ (0(grL A -.reqL) -)• -.reqL); 

ArbiterNode N □(Q(grR A -.reqR) — >• -.reqR); (25) 

□ (grL V -.grL)); 

□ (grR ^(-.reqRV -.grR)) 

Guarantee: 

□ (gr V -.gr)) 



which is proven by the generalized verification diagram shown in Figure 15. The 
first four assumptions are necessary to ensure the consecution requirement for 
nodes no, ns, ns, and ns respectively. The last two assumptions are used to 
ensure progress from node ni and U 4 . 

In the base case, when ArbiterTree(l) inherits this property, all assumptions 
are discharged by clients{l). For the case h > 1, the first four assumptions are 
discharged by (23) and (24) and the corresponding properties for the left side, 
and the last two properties are discharged by the inductive hypothesis inherited 
from the left and right subtree. This concludes the proof of (14). 



We now finish the proof of accessibility for the Arbiter system. It is easy to 
show 



Top 1= server 



and therefore we can discharge the server assumption for the Arbiter system, 
and we have 

Arbiter(Zi) N clients{h) acc(h) 

Thus, as expected, accessibility for the arbiter system relies on the cooperation 
of the clients. 



6 Conclusions 

We have presented a formal framework for the modular description and ver- 
ification of fair transition systems, and demonstrated its use on an example. 
We proposed several deductive proof techniques to establish and re-use modular 
properties. 
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Fig. 15. Verification diagram for property (25). 

— A modular verification rule to prove properties over modules with non- 
recursive descriptions. 

— A property inheritance mechanism that provides an incremental proof 
method: properties of a module A can be reused in any module B whose 
description refers to A. 

— Modular abstraction, which allows us to focus the proof on relevant compo- 
nents. 

— The induction rule, which makes the methodology applicable to recursive 
designs. 

We illustrated our techniques by verifying an arbiter system. In particular 
we demonstrated that our framework allows the use of assumption-guarantee 
reasoning without suffering from its main disadvantage of having to identify 
sufficiently strong guarantee properties up front. In the verfication of the arbiter 
system we showed how assumptions are generated naturally in the course of the 
proof. Diagrams were constructed representing the intended flow of the module, 
and verification conditions involving input variables were added as assumptions 
to the property we set out to prove. These assumptions were then carried along 
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until they either could be discharged by properties proven over other modules, 
or they could be proven directly over the larger inheriting module. 

Although not considered in this paper, the verification methodology can 
be adapted to other verification techniques, such as deductive model checking 
[SUM96]. It is also straightforward to extend the framework to real-time and 
hybrid systems, modeled by clocked and hybrid transition systems [MP95a]. In 
these systems fair, clocked and hybrid parameterized transition modules can be 
freely combined into one module system. Extra care has to be taken to ensure 
that time steps synchronize for all parallel modules. 

Acknowledgements: We thank Nikolaj Bjprner, Mark Pichora and Tomas 
Uribe for their careful reading and many helpful suggestions. 
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Abstract. To support top-down design of distributed real-time systems, 
a framework of mixed terms has been incorporated in the verihcation 
system PVS. Programs and assertional specihcations are treated in a 
uniform way. We focus on the timed behaviour of parallel composition 
and hiding, presenting several alternatives for the dehnition of a deno- 
tational semantics. This forms the basis of compositional proof rules for 
parallel composition and hiding. The formalism is applied to an example 
of a hybrid system, which also serves to illustrate our ideas on platform- 
independent programming. 



1 Introduction 

The aim of this work is to devise a formal framework for the top-down design of 
distributed real-time systems. Important ingredient of such a framework is a set 
of compositional proof rules for the programming constructs. That is, it should 
be possible to reason with the specihcations of components without knowing 
their implementation [dR85,HdR86]. 

In Sect. 1.1 we introduce the framework of mixed terms. To obtain mecha- 
nized support we use the verihcation system PVS, presented in Sect. 1.2. Sec- 
tion 1.3 addresses applications and the topic of this paper. The structure of the 
rest of the paper can be found in Sect. 1.4. 



1.1 Mixed Terms 

Our specihcations are based on assertions, i.e., logical formulae that express 
desired properties of (part of) a system. To be able to formalize intermediate 
stages during the top-down design of a system, we aim at a framework where 
specihcations and programming constructs can be mixed freely. This is inspired 
by similar work on untimed systems [01d85,01d91,Zwi89] and related to recent 
work on timed systems [S098]. 

W.-P. de Roever, H. Langmaack, and A. Pnueli (Eds.): COMPOS’97, LNCS 1536, pp. 276-300, 1998. 
Springer- Verlag Berlin Heidelberg 1998 
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Example 1 . As a simple example, consider a top-level specification TLSpec, in- 
cluding timing constraints. Suppose we decide to implement this as the parallel 
composition of two components specihed by SpecCompi and SpecComp2- This 
rehnement step is denoted by (SpecCompi || SpecComp2) ^ TLSpec. It should 
be justihed by a compositional rule for parallel composition. Often a set of inter- 
nal events, say IntEvents, is introduced to synchronize or communicate between 
the two components. These internal events can be encapsulated by a hiding con- 
struct, denoted by By means of a compositional hiding rule we then show 

{{SpecCompi || SpecComp2) — IntEvents) ^ TLSpec. 

Next each component can be developed in isolation. For instance, 

SpecCompii ; SpecCompi2 ^ SpecCompi and 
SpecComp2i || SpecComp22 ^ SpecComp2. 

Then, by means of transitivity of ^ and so-called monotonicity rules for par- 
allel composition and hiding, this leads to 
{{{SpecCompii ; SpecCompi2) || 

{SpecComp2i || SpecComp22)) — IntEvents) ^TLSpec. 

Again the specihcations can be rehned further, leading to a (real-time) program 
for each software component of the system. 

Traditionally, real-time programs are based on constructs such as delays, 
time-outs, periods, and priorities. Such a program usually depends heavily on 
the underlying platform, the scheduling policy, and also on the other components 
of the system (e.g., also the priority of totally unrelated parallel components 
is important). Consequently, program verihcation requires many assumptions 
about the execution platform and compositionality is difhcult to achieve. 

Our approach aims at a platform-independent program activity, postponing 
platform considerations as long as possible. This is achieved by extending con- 
ventional (untimed) programming languages with so-called timing annotations 
that only specify the relevant timing constraints [HvR 97 ]. As a separate ac- 
tivity, these platform-independent programs are then scheduled on a particular 
execution platform. 

1.2 Mechanized Proof Support 

To obtain mechanized support for our formal framework, we use the verihca- 
tion system PVS (Prototype Verihcation System) [ORS 92 ,ORSvH 95 ]. Our mixed 
framework has been formulated in the language of PVS, a typed higher-order 
logic. Type-checking might generate proof obligations (Type Check Conditions), 
requiring a proof that expressions indeed have the proper type. In general, prop- 
erties can be verihed by means of the interactive proof checker of PVS. 

PVS provides not only convenient support during the specihcation and ver- 
ihcation of applications, but it is equally useful for the development of formal 
theory. The use of so-called putative theorems, expressing properties that ought 
to hold, also frequently reveals errors during theoretical studies. For instance, in 
the work described here, several errors have been detected by the formulation of 
alternative dehnitions and attempts to prove equivalence. 
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1.3 Applications and Topic of this Paper 



In previous work, our assertional framework has been used to verify several pro- 
tocols with PVS, such as part of the ACCESS. bus protocol [Hoo95] and a mem- 
bership protocol with local clocks and a dynamically changing network [Hoo97]. 
Another class of applications concerns the design of hybrid systems, containing 
both discrete and continuous components. For instance, a steam boiler control 
system has been specihed and verihed [VH96]. 

These applications are based on a formalization of the framework in PVS 
as described in [Hoo94]. There the proof rules for sequential programming con- 
structs have been proved sound, but the rule for parallel composition was stated 
as an axiom, based on a manual soundness proof. Main topic of the current paper 
is to formalize this soundness proof and to investigate several alternatives for 
the formalization of parallel composition. Additionally we investigate the hiding 
construct and prove soundness of the required monotonicity rules. 

We aim at a framework which allows reasoning about local clocks and hybrid 
systems; it should be possible to deal with both discrete and continuous time. 
Hence the framework developed here will be parameterized by a time domain 
and can be instantiated with various notions of time. 

Focusing on parallel composition and hiding, we only describe the externally 
visible behaviour of a component in terms of the events that occur at any point 
of time. This clarihes the exposition, leaving extensions of the approach to deal 
with a local state along the lines of [Hoo94] to future work. 



1.4 Overview 

The basic semantic primitives are dehned in Sect. 2. Several equivalent formula- 
tions for the semantics of parallel composition can be found in Sect. 3. Moreover, 
we prove the soundness of a compositional rule for parallel composition. An al- 
ternative framework, aiming at the dehnition of parallel composition by intersec- 
tion is presented in Section 4. We show that the two approaches are isomorphic. 
Semantics and proof rules for the hiding construct are given in Sect. 5, again 
investigating both approaches. To illustrate the use of the framework and our 
ideas on platform-independent design, we consider in Sect. 6 a simple example 
of a hybrid system. Section 7 contains concluding remarks. 



2 Semantic Primitives 

The PVS specihcation language allows us to structure the framework into a 
number of parameterized theories. Theory TimePrim contains a few simple no- 
tations to express timing properties. The time domain Time is a parameter of 
this theory, which makes it possible to instantiate it for concrete examples with, 
e.g., a discrete or a continuous notion of time. The semantic framework and the 
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proof rules presented here are independent of this choice. We only assume given 
a strict order < and a partial order < on this domain, assuming the usual rela- 
tion between these two, as expressed by the ASSUMING clause below. Importing 
theory TimePrim with a particular time domain then leads to a so-called Type 
Check Condition which requires a proof that the particular orders indeed satisfy 
the formula named leqjess. Of course, we could use only one of the orders as 
a parameter and dehne the other in terms of it, but the version presented here 
allows us to import the theory with, for instance, the real numbers and then 
make optimal use of the built-in decision procedures of PVS for the reals and 
the corresponding relations. 

We use three dots (...) to indicate that some obvious details are omitted. 
Observe that TimePrim imports theory Connectives which is presented below. 



TimePrim[Time : TYPE, < : (strict_order?[Time]), 

< : (partiaLorder?[Time])] : THEORY 

BEGIN 

ASSUMING 

leqjess : ASSUMPTION V (ti,t 2 : Time) : ti < <2 V ti = t 2 

ENDASSUMING 
t, to,ti : VAR Time 



[tojti] : setof[Time] 
[tojti) : setof[Time] 



{t I to < t A t < h} 
{t I to <t At < h} 



P : VAR pred[Time] 
I : VAR setof[Time] 



% pred[Time] = [Time ^ bool] 
% setof[Time] = [Time ^ bool] 



P in / : bool = 3 t : t G / A P(t) 



P during / : bool = V t : t £ I ^ P{t) 



IMPORTING Connectives [Time] 
END TimePrim 



Theory Connectives is copied from [Sha98]; it lifts the boolean connectives 
to the domain of predicates over a given type. 



Connectives [T : TYPE] : THEORY 
BEGIN 

P, Q : VAR pred[T] 
t : VAR T 

~'{P){t) : bool = ~iP(t); 

TRUE(t) : bool = TRUE 
EALSE(t) : bool = EALSE 
END Connectives 
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The basic semantic primitives are defined in theory SemPrim. Since theory 
TimePrimis imported and no more restrictions are imposed on the time domain, 
we use the same parameters and also copy the assuming clause to be able to prove 
the generated Type Check Condition. This construction is used in all subsequent 
theories, except for concrete examples, and is omitted henceforth. 

We declare a nonempty type of events and dehne the notion of an observa- 
tion function which is a function from the time domain to a set of events. The 
intention is that such a function represents an externally observable timing be- 
haviour of a component by describing the set of events that occur at each point 
of time. Events can be shared by several components, e.g., for synchronization 
or to observe the same physical event. 

The basic semantic structure is dehned by type Compinfo which is a record 
with two Reids: 

— Field a represents the alphabet of the component, that is, the set of events 
that might occur during the behaviour of the component. 

— Field obs describes the observable behaviour of the component. Since we 
allow nondeterministic components, it is represented by a set of observation 
functions. 

Note that components are not restricted to (parts of) computer programs; also 
physical components can be represented in this way, as will be illustrated by an 
example of a hybrid system in Sect. 6 . 

In subsequent sections, additional restrictions will be imposed on the type 
Compinfo, to represent choices concerning the semantic representation. Further 
note that the exposition here only concerns the externally observable behaviour 
and a representation of an internal state is omitted. 

SemPrim [Time : TYPE, < : (strict_order?[Time]), 

< : (partiaLorder?[Time])] : THEORY 

BEGIN 

ASSUMING 

leqjess : ASSUMPTION V (ti,t2 : Time) : T < ^2 ti < <2 V ti = t2 

ENDASSUMING 

IMPORTING TimePrim[Time, <, <] 

Events : NONEMPTY_TYPE 

ObsFuncts : TYPE = [Time ^ setof[Events]] 

Compinfo : TYPE = [# a : setof [Events], obs : setof[ObsEnncts] #] 

The usual operations on sets (of events) are lifted to observation functions. 



0,01,02,03 : VAR ObsEnncts 
t,to,ti,t2,ts,ti : VAR Time 
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ci : VAR Compinfo 

Eset, EsetO, Esetl, Eset2 : VAR setof[Events] 
e : VAR Events 

oi U 02 : ObsEuncts = X t : oi(f) U 02 (f) 

0 n Eset : ObsEuncts = X t : o(f) fl Eset 
0 \ Eset : ObsEuncts = X t : o{t) \ Eset 
0 C Eset : bool = V f : o(f) C Eset 

obs_union_comm : LEMMA oi U 02 = 02 U oi 
obs_union_assoc : LEMMA (oi U 02) U 03 = oi U (02 U 03) 
intersection_difference : LEMMA 0 fl (Esetl \ Eset2) = (0 \ Eset2) fl Esetl 



With the current dehnitions, o(f)(read) expresses that a event read occurs 
at time t (note that a set of events is represented as a predicate on events). To 
be able to use the notations from theory TimePrim, one should be able to write 
o(read)(f) and then, for instance, read in [3, 7). This can be achieved by dehning 
a conversion At which makes it possible to interpret o as At(o) when convenient. 

At(o)(e)(f) : bool = o(f)(e) 

CONVERSION At 
END SemPrim 



Henceforth, declarations of variables are not repeated, so below o, oi, t, to, 
etc., are used without declaration. 

3 Parallel Composition 

The parallel composition of real-time components is studied, where we consider 
in this section a representation where events outside the alphabet of a process, 
i.e. events of the environment, are ignored. In Sect. 3.1, a denotational seman- 
tics is presented. To increase the conhdence in the dehnition, several equivalent 
formulations are studied. Section 3.2 contains a general framework to denote 
assertional specihcations. A compositional rule for parallel composition can be 
found in Sect. 3.3. 



3.1 Denotational Semantics of Parallel Composition 

Theory Sem dehnes the type Comps of components by imposing the restriction 
that any observation function of a component contains only events of its alpha- 
bet. So an observation function of a component describes only the behaviour 
that is relevant for the component itself. 
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Sem[Time : TYPE ...] : THEORY 
BEGIN 
ASSUMING... 

IMPORTING SemPrim[Time, <, <] 

ObsInAlpha(ci) : bool = V o : obs(ci)(o) => o C a(ci) 

Comps : TYPE = {ci | ObsInAlpha(ci)} 

END Sem 

Parallel composition of two components can be defined by taking the union of 
the alphabets and the (pointwise) union of the observation functions, with the 
additional restriction that these observation functions agree (i.e., are equal) on 
the events that are in both alphabets. 

SemPar[Time : TYPE ...] : THEORY 
BEGIN 
ASSUMING... 

IMPORTING Sem[Time, <, <] 

comp, compO, compl, comp2, comp3, comp4 : VAR Comps 

par(compl, comp2) : Comps = 
a := a(compl) U a(comp2), 

obs := A 0 : (3 oi , 02 : obs(compl)(oi) A obs(comp2)(o2) A o = oi U 02 A 

oi n a(compl) n a(comp2) = 02 a(compl) C a(comp2)) 

Since par(compl, comp2) should be of type Comps, type-checking leads to a 
Type Check Condition requiring a proof that the dehnition indeed satisRes 
ObsInAlpha. The proof uses the fact that this property already holds for the 
components. 

Moreover, ObsInAlpha has been used to show that an equivalent definition is 
obtained if o\ C a(compl) C a(comp2) = 02(3 a(compl) C a(comp2) is replaced 
by o\ n a(comp2) = 02(3 a(compl). 

Example 2. Consider a component Pi which performs a read event at time 3 and 
a comm(l) event between 7 and 9. Component P 2 has the following behaviour; if 
a comm(v) event occurs at time t, for some value v, then it performs a write(v+l) 
between t 3- 5 and t + 10. Note that this behaviour is represented by a possibly 
infinite set of observation functions; for all values of t and v and any time point 
between t 3- 5 and t 3- 10 there exists an observation function. 

To obtain a behaviour of par(T’i,T’ 2 ) we take the union of a behaviour of 
Pi and one of P 2 , provided they agree on the joint comm event. Hence we can 
only use observation functions of P 2 that contain a comm(l) event between 7 
and 9, and thus have a write(2) event between 12 and 19. Hence the observation 
functions of par(T’i, P 2 ) contain a read at 3, a comm(l) event between 7 and 9, 
and a write(2) between 12 and 19. 
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To increase the confidence in the dehnition of parallel composition, an al- 
ternative dehnition is formulated and shown to be equivalent with the previous 
one. This alternative dehnition is similar to the trace-based semantics of paral- 
lel composition [Hoa85], which turned out to be useful for the formulation of a 
compositional rule for (untimed) parallel composition [Zwi89]. Basic idea is that 
the projection of an observation of the parallel construct onto the alphabet of 
one of the components leads to an observation of this component. Projection is 
here represented by intersection. Additionally, any observation function of the 
composition should only contain events of its alphabet. Note that // can be used 
as an inhx operator in PVS. 

//(compl, comp2) : Comps = 

a := a(compl) U a(comp 2 ), 

obs := A 0 : (3 oi , 02 : obs(compl)(oi) A obs(comp 2 )(o 2 )A 

0 n a(compl) = oi A 0 n a(comp 2 ) = 02A 
0 C a(compl) U a(comp 2 )) 

AltSemEquiv : THEOREM compl // comp2 = par(compl, comp2) 

Example 3. Consider again the processes Pi and P 2 of Example 2. Then any 
observation function of Pi/ / P 2 should lead to an observation function of Pi if 
the intersection (projection) is taken with the events of Pi, viz. read and comm. 
Hence any observation function of P 1 //P 2 should have a read event at 3 and 
a comm(l) event between 7 and 9. Since the projection onto events of P 2 , viz. 
comm and write should lead to an observation function of P 2 , this implies that 
there is a write(2) between 12 and 19. 

As a further test of the dehnitions, it can be shown that parallel composition 
boils down to a simple union of observation functions if there are no shared 
events. Moreover, we show that // is idempotent. 

NoSharedEvents : LEMMA a(compl) fl a(comp2) = 0 => 
compl // comp2 = 

(^ a := a(compl) U a(comp 2 ), 

obs := A 0 : (3 oi , 02 : obs(compl)(oi) A obs(comp2)(o2) A 0 = oi U 02) 
Idempotence : EACT comp // comp = comp 
END SemPar 



3.2 Specifications 

Common to the two versions of the semantic framework presented here, is a 
notion of rehnement between components. Component cil rehnes (implements) 
components ci2, denoted by cil ^ci2, if the alphabet of “implementation” cil 
is an extension of that of “specihcation” ci2 and the observable behaviour of cil 
is included in that of ci2. 
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SpecsPrim[Time : TYPE ...] : THEORY 
BEGIN 
ASSUMING... 

IMPORTING SemPrim[Time, <, <] 

cil ^ ci2 : bool = a(ci2) C a(cil) Aobs(cil) C obs(ci2) 

RefRefl : THEOREM ci ^ ci 

RefTrans : THEOREM (ciO ^ ci2) (3 cil : (ciO ^ cil) A (cil ^ ci2)) 

Instead of a semantic description it is often convenient to specify components 
using assertions, which are simply predicates over observation functions. 

Assertion : TYPE = pred[ObsFuncts] 

IMPORTING Connectives [ObsFuncts] 

A, Ao, Ai, A 2 : VAR Assertion 
Valid (A) : bool = V 0 : A(o) 

END SpecsPrim 

In general, assertional specihcations can have a certain structure with, for in- 
stance pre and post conditions or rely /guarantee pairs. To illustrate the basic 
concepts, here a specihcation simply consists of an alphabet and a single asser- 
tion. 

To allow mixed terms, combining specihcations and programming constructs 
in a uniform way, specihcations also have type Comps. Since this requires a proof 
of ObsInAlpha, an observation function satisfying the specihcation should only 
contain events of the alphabet. 

Specs [Time : TYPE ...] : THEORY 
BEGIN 
ASSUMING... 

IMPORTING Sem[Time, <, <], SpecsPrim [Time, <, <] 

spec(Eset, A) : Comps = a := Eset, obs := A 0 : 0 C Eset A A(o) 

END Specs 

Example /. Assume given read and write events. 

read, write: Events 
ReadWriteDiff : AXIOM read / write 

Observe that component Ci 

Cl : Comps = spec({e | e = write}, A 0 : o(7)(write)) 



specihes observation functions that contain only write events. Component C'2 
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C 2 : Comps = spec({e | e = read V e = write}, A O : 0(7)(write)) 

additionally allows arbitrary read events. Lemma ActionFalse below expresses 
that we obtain an empty set of observation functions is we restrict the alphabet 
to read events. On the other hand, assertion A o : -io(7)(write) does not impose 
any additonal restriction. 

ActionFalse : LEMMA spec({e | e = read), A 0 : o(7)(write)) = 
spec({e I e = read), FALSE) 

NoActionTrue : LEMMA spec({e | e = read), A 0 : -io(7)(write)) = 
spec({e I e = read), TRUE) 



3.3 Compositional Proof Rule for Parallel Composition 

Main topic of this chapter is the formulation of a compositional rule for parallel 
composition. First, however, we prove the soundness of a consequence rule, which 
allows weakening of assertions. 

RulePar[Time : TYPE ...] : THEORY 
BEGIN 
ASSUMING... 

IMPORTING SemPar[Time, <, <], Specs[Time, <, <] 

ConsRule : THEOREM EsetO = Eset A Valid (Ao => A) => 

(spec(EsetO, Ao) ^ spec(Eset, A)) 

The next example shows that the condition EsetO = Eset of the consequence rule 
cannot be weakened to Eset C EsetO. 

Example 5. Component C '2 is not a rehnement of Ci, because Ci specihes, by 
its alphabet, that there are no read events, whereas C '2 allows arbitrary read 
events. 

C2notrefCl : EACT -'(C 2 ^Ci) 

The monotonicity rule is important for the composition of rehnement steps. 

MonoPar : THEOREM (compl ^ comp3) A (comp2 ^ comp4) => 

(compl // comp2 ^ comp3 // comp4) 

Next, the aim is to formulate a rule where the parallel composition of specihca- 
tions of components corresponds to the conjunction of the assertions: 

spec(Esetl, Ai) // spec(Eset2, A 2 ) ^ spec(Esetl U Eset2, Ai A A 2 ). (*) 

The following example shows, however, that this is not valid if, e.g., assertion 
Ai refers to events of Eset2 that are not in Esetl. 
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Example 6. Formula (*) would lead to 

spec({e I e = read}, A o : -io( 7 )(write)) 

// spec({e I e = write), A o : o( 7 )(write)) ^ 
spec({e I e = read V e = write), FALSE) 

and hence, using Example 4, 

spec({e I e = read}, TRUE) 

// spec({e I e = write), A o : o( 7 )(write)) ^ 
spec({e I e = read V e = write), FALSE) 

To rule out such counter examples, it is required that validity of the assertion 
of a component only depends on the events of its alphabet. Hence we dehne 
OnlyDepEve(j4, Eset) to express that validity of A only depends on the events 
in Eset. Again, to increase the conhdence, we prove the equivalence with an 
alternative formulation which also turns out to be convenient in proofs. 

OnlyDepEve(A, Eset) : bool = V oi , 02 : A(oi) A oi n Eset = 02 D Eset => A(o2) 

OnlyDepEveEquiv : LEMMA OnlyDepEve(A, Eset) 4^ (V 0 : A(o) A(o fl Eset)) 

ParCompRule : THEOREM OnlyDepEve(Ai , Esetl) A OnlyDepEve(A2, Eset 2 ) => 
spec(Esetl, Ai) // spec(Eset 2 , A2) ^ spec(Esetl U Eset 2 , Ai A A2) 

Theorem ParCompRule, expressing soundness of the parallel composition rule, 
has been proved as follows. Assume that we have OnlyDepEve(Ai , Esetl) and 
OnlyDepEve(A 2 , Eset2). Let o G obs(spec(Esetl, Ai) // spec(Eset2, A 2 )). Then 
there exist, e.g., an oi such that o C Esetl = oi and Ai(oi), and hence we have 
Ai(onEsetl). By OnlyDepEveEquiv this leads to Ai(o). By symmetry, we obtain 
o e obs(spec(Esetl U Eset2, Ai A 7 I 2 )). 

4 Semantics of Parallel Composition by Intersection 

In this section we aim at a framework where the semantics of parallel composi- 
tion can be formulated as the intersection of the sets of behaviours of the two 
components. To achieve this, here the semantic representation of a component 
contains arbitrary events of the environment. The relation with the semantics of 
the previous section is studied in Sect. 4.1. 

First dehne a type of components, called CompsEnv, where we require that 
any arbitrary behaviour outside the alphabet is included. 

ArbOutAlpha(ci) : bool = V 01,02 : 
obs(ci)(oi) A oi n a(ci) = 02 a(ci) => obs(ci)(o2) 

CompsEnv : TYPE = {ci | ArbOutAlpha(ci)} 
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Parallel composition is defined by the intersection of the sets of behaviours. 

ce, ceO, cel, ce2, ce3 : VAR CompsEnv 

//(cel,ce2) : CompsEnv = 

a := a(cel) U a(ce2), obs := obs(cel) fl obs(ce2) 

Example 1. Consider again the two components of Example 2: Pi which does 
a read at time 3 and a comm(l) between 7 and 9, P 2 responds to a comm(v) 
at time t with a write{v + 1) between f + 5 and t + 10. Now the observation 
functions of Pi contain arbitrary events outside its alphabet (read and comm), 
including arbitrary write events. Similarly, the observable behaviour of P 2 con- 
tains observation functions with arbitrary read events. Taking the intersection 
of these sets of functions, we obtain all observation functions that contain a read 
at 3, a comm(l) event between 7 and 9, and a write(2) between 12 and 19. 

In our mixed framework, specihcations are also components, and hence the def- 
inition of specihcations has to be adapted to obtain arbitrary behaviour outside 
the alphabet. 

spec(Eset, yf) : CompsEnv = 

(^ a := Eset, obs := A 0 : (3 oi : A(oi) A 0 fl Eset = oi fl Eset) 

Example 8. Observe that for the components Ci and C 2 of Example 4, which 
are now of type CompsEnv, we have 

C2refCl : FACT C 2 ^ Ci 

since Ci allows more arbitrary behaviour (all non-write events) than C 2 (all 
non- write and non-read events). 

As before we have NoActionTrue, i.e. a specihcation expressing no activ- 
ity outside the alphabet is equivalent to true. But now also assertions express- 
ing the occurrence of events outside the alphabet are ignored, as expressed by 
ActionTrue 

ActionTrue : LEMMA spec({e | e = read}, A 0 : o(7)(write)) = 
spec({e I e = read), TRUE) 

NoActionTrue : LEMMA spec({e | e = read), A 0 : -io(7)(write)) = 
spec({e I e = read), TRUE) 

Nice is that in this framework the consequence rule can be strengthened, 
since the condition about the alphabets can be weakened to a subset relation. 

ConsRule : THEOREM Eset C EsetO A Valid (Ao => A) => 

(spec(EsetO, Ao) ^ spec(Eset, A)) 
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The rules for monotonicity and parallel composition remain unchanged. The 
proof of ParCompRule now proceeds as follows. Again assume that we have 
OnlyDepEve(Ai , Esetl) and OnlyDepEve(A 2 , Eset2). Consider an observation 
o G obs(spec(Esetl, Ai) j j spec(Eset2, A 2 )). Then, e.g., o G obs(spec(Esetl, Ai)) 
and hence there exists an o\ such that Ai(oi) and o C Esetl = oi C Esetl. Hence 
OnlyDepEve leads to Ai(o). By symmetry, o G obs(spec(Esetl U Eset2, A\ A A 2 )) 
Einally observe that Example 6 can also be used here to show that the 
OnlyDepEve conditions are needed for the soundness of the rule. 



4.1 Relating the Frameworks 

To relate the two approaches and the corresponding dehnitions of parallel compo- 
sition, two functions are dehned to transform one representation into the other. 
They are each others inverse. 

AddEnv(comp) : CompsEnv = 
a := a(comp), 

obs := A oi : (3 02 : obs(comp)(o2) A oi Pi a(comp) = 02 a(comp)) 

RemEnv(ce) : Comps = 

(# « := «(ce), 

obs := A oi : (3 02 : obs(ce)(o2) A oi = 02 D a(ce)) 

AddRemProp : LEMMA AddEnv(RemEnv(ce)) = ce 
RemAddProp : LEMMA RemEnv(AddEnv(comp)) = comp 

Theorems RemRel and AddRel relate the two versions of parallel composi- 
tion. Note that AddRel can be proved easily from RemRel and the properties 
AddRemProp and RemAddProp. 

RemRel : THEOREM RemEnv(cel / / ce2) = RemEnv(cel) / / RemEnv(ce2) 

AddRel : THEOREM 

AddEnv(compl // comp2) = AddEnv(compl) // AddEnv(comp2) 

We have not yet addressed commutativity and associativity of parallel compo- 
sition in the framework of Sect. 3. The reason is that it is much easier to prove 
these properties Rrst in the framework with an arbitrary environment, where we 
can simply use the properties of union and intersection from the PVS prelude. 

ParCommEnv : LEMMA cel / / ce2 = ce2 / / cel 

ParAssocEnv : LEMMA (cel / / ce2) / / ce3 = cel / / (ce2 / / ce3) 

By RemAddProp and theorem AddRel these results can be tranformed easily to 
the framework without environment events. 



ParComm : LEMMA compl // comp2 = comp2 // compl 

ParAssoc : LEMMA (compl // comp2) // comp3 = compl // (comp2 // comp3) 
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5 Hiding of Internal Events 

Besides parallel composition, also the possibility to encapsulate internal events 
is important during top-down design. In Sect. 5.1 a hiding operator is dehned in 
the framework of Sect. 3. The other framework, with an arbitrary enironment, 
is considered in Sect. 5.2. 



5.1 Hiding in the Framework withont Environment Events 

To hide a set of events Eset from component comp, denoted by “comp - Eset” , the 
elements of Eset are removed from the alphabet and the observation functions. 

Hiding [Time : TYPE ...] : THEORY 
BEGIN 
ASSUMING... 

IMPORTING RulePar[Time, <, <] 



44>(comp, Eset) : Comps = 

a := a(comp) \ Eset, 

obs := A 0 : (3 oi : obs(comp)(oi) A o = oi \ Eset) ^) 

To show that the dehnition indeed leads to an element of type Comps, type- 
checking leads to the requirement to prove that it satisHes ObsInAlpha. 

We also prove a monotonicity rule and a hiding rule, which requires that the 
assertion of the specihcation only depends on the remaining, not hidden, events. 

HideMono : THEOREM (compl ^comp2) => (compl Eset ^ comp2 Eset) 



HideRule : THEOREM OnlyDepEve(yf, Eset \ EsetO) => 

spec(Eset, A) EsetO ^ spec(Eset \ EsetO, A) 



END Hiding 

Example 9. Eor the components Ci and C *2 of Example 4 we can prove 
ClhideC2 : LEMMA Ci = C 2 {e | e = read} 



5.2 Hiding in the Framework with an Arbitrary Environment 

In the alternative framework we cannot simply remove internal events from the 
observation function. On the contrary, hiding is achieved by including any arbi- 
trary behaviour concerning the events to be hidden. 

44>(ce, Eset) : CompsEnv = 
a := a(ce) \ Eset, 

obs := A 0 : (3 oi : obs(ce)(oi) A 0 \ Eset = oi \ Eset) ^) 

The rules are identical to the previous section. Similar to parallel composition 
(Sect. 4.1), it is reassuring that the two versions are isomorphic. 

HideRemRel : LEMMA RemEnv(ce Eset) = RemEnv(ce) Eset 
HideAddRel : LEMMA AddEnv(comp Eset) = AddEnv(comp) Eset 
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6 Hybrid Systems 

As an application of the theory above, we present a simple example of a hybrid 
system, i.e. a system with discrete and continuous components. As a typical 
example, we consider in Sect. 6.3 a simple process control application with the 
following structure. 




The general outline of our approach for such systems is described in Sect. 6.2. We 
will use the framework of Sect. 3 and Sect. 5.1 (i.e., without environment events), 
to show a few steps towards the design of a discrete controller. Further, the 
example serves to illustrate recent ideas on platform-independent development 
of real-time systems [HvR97], as indicated in the next section. 



6.1 Platform-Independence 

The goal is to postpone platform-dependent design decisions as long as possible. 

To achieve this, we distinguish two activities: 

— A platform-independent programming activity, where a program is developed 
independent of any particular architecture on which it has to be executed. To 
achieve this, a notation has been devised to annotate programs with timing 
specihcations. By programming the functional behaviour and only specifying 
the timing behaviour, we obtain a context and platform independent way of 
describing algorithms, similar to untimed system design. 

— An activity where the program, including timing annotations, is realized 
on a particular platform. This involves the transformation of the annotated 
program into scheduling blocks plus timed precedence constraints, and the 
design of a schedule for the execution platform. Different from the usual 
compilation phase for untimed programs is that schedulability analysis might 
indicate that it is not possible to Rnd a schedule and either the program or 
the platform has to be adapted. 
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This apprach should be contrasted with the traditional practice where in an early 
phase of the design internal deadlines, periods, and priorities are chosen. Thus 
making the design both context dependent (e.g., even depending on priorities of 
unrelated tasks) and implementation dependent (e.g., depending on the duration 
of basic statements and the scheduling policy). 



6.2 Design of Process Control Systems 

To design a real-time computer system which controls physical processes, we 
propose the following approach. 

1. Formulate the requirements specihcation of the complete system, including 
continuous components. 

2. Formalize the assumptions about the physical processes in the system. 

3. Specify the control component, in general using continuous quantities (as in 
the previous steps). 

4. Verify the control algorithm of the previous step, i.e. show that the specih- 
cations of 2. and 3. lead to the properties specihed in step 1. 

5. Step-wise transformation of the continuous control strategy (of step 3) into a 
specihcation in terms of a discrete interface. Usually this is done by means of 
sensors and actuators, assuming formal specihcations of these components. 

6. Design a program satisfying the discrete specihcation, obtained in the pre- 
vious step, of the control component. 



6.3 Example Hybrid System 

The example presented here is a simplihed version of a mine pump exam- 
ple [MJ96]. Consider a mine with a certain engine (e.g., a pump to evacuate 
water) which should not be operating when a certain amount of gas is present, 
because that might lead to an explosion. Following the steps above, hrst the 
requirements specihcation of the mine system is formulated. 



Requirements Specification As a first specification of the system, we simply 
require that no explosion should occur at any point of time, where we choose 
the real numbers as our (continuous) time domain. 

ExplEx : THEORY 
BEGIN 

Time : TYPE = real 

NonNegTime : TYPE = {t : Time | t > 0} 

IMPORTING Hiding [Time, <, <] 



expl : Events 
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EMS : setof[Events] = {e | e = expl} 

AMS : Assertion = A o : V t : -io(t)(expl) 

MineSystem : Comps = spec(EMS, AMS) 

Specify Physical Environment Next we specify the assumption that an ex- 
plosion can only occur if the engine is operating and there has been gas for at 
least, say, CritGasPeriod time units. For simplicity, suppose there is an event 
engine which occurs iff the engine is operating. An alternative is to use start and 
stop events for the engine, and to dehne a predicate expressing that the engine 
is on if the last event was a start event. 

gas, engine: Events 

ContEventsDiffer : AXIOM gas ^ expl A gas ^ engine A expl ^ engine 
EM : setof [Events] = {e | e = expl V e = gas V e = engine} 

CritGasPeriod : NonNegTime 
AM : Assertion = A o : 

V t : o(expl)(t) => o(engine)(t) A o(gas) during [t 44>CritCasPeriod, t] 

Mine: Comps = spec(EM,AM) 



Specify Control Component The aim is to specify a control strategy Control, 
in terms of the physical events gas and engine, such that together with specihca- 
tion Mine we obtain the required specihcation MineSystem. Hence the alphabet 
is dehned by EC. 

EC : setof [Events] = {e | e = gas V e = engine) 

As a Rrst attempt, we specify that if there is gas at some point in time, then the 
engine is switched off within, say, StopDelay time units; 

A o : 'it: o(t)(gas) => -io(engine) in [t,t + StopDelay] 

Assuming StopDelay < CritGasPeriod this indeed leads to MineSystem. But the 
specification is stronger than necessary and imposes an unrealistic condition on 
the implementation; gas needs to be observed at any point in time, since a 
response is needed for any single point in time where gas occurs. Therefore, as 
a next attempt, we weaken the assertion, requiring that if there is gas during a 
certain period then the engine should be off after StopDelay. 

A o :i t\,t2 : o(gas) during [^1,^2] -io(engine) during [C -f StopDelay, ^2] 

Observe that the assertion is trivially true if O < C + StopDelay, and hence a 
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response is only needed if there is gas during StopDelay time units. Again we 
can derive MineSystem, provided StopDelay < CritGasPeriod. 

However, aiming at platform-independence, we try to avoid internal reaction 
times, such as StopDelay, and corresponding conditions on them. This leads to 
the following specihcation, which only refer to the given constant CritGasPeriod. 



AC : Assertion = A o : 

V t : o(gas) during [t, t + CritGasPeriod] => -io(engine)(t + CritGasPeriod) 
Control: Comps = spec(EC,AC) 



Verification of the Control Algorithm Main part of the verihcation is the 
proof that the assertions of the mine and the control algorithm lead to the 
assertion of the system, as expressed by lemma MSAssert. 

MSAssert : LEMMA Valid(AM A AC => AMS) 



To apply the parallel composition rule we hrst prove OnlyDepEve(AM, EM) and 
OnlyDepEve(AC, EC). Then the rules ParCompRule and ConsRule, together 
with transitivity of rehnement (theorem RefTrans) lead essentially to the re- 
quired specihcation, except that the alphabet still contains the events gas and 
engine. 



MSIntEve : setof[Events] = {e | e = gas V e = engine} 

MSPar : THEOREM Mine // Control ^ spec(EMS U MSIntEve, AMS) 



To remove the gas and engine events, we apply monotonicity of hiding (HideMono), 
transitivity of rehnement (RefTrans), and hiding (HideRule). 

MSRef : theorem (Mine / / Control) MSIntEve ^ MineSystem 

END ExpIEx 



6.4 Transformation into a Discrete Interface 



To obtain a discrete interface, we assume here that the control program com- 
municates with sensors and actuators by means of shared registers. This com- 
munication mechanism is axiomatized in theory RegisterComm, expressing that 
reading a register yields the last written value. 
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RegisterComm [Registers : TYPE, Values : NONEMPTY_TYPE, Time : TYPE...]: THEORY 
BEGIN 
ASSUMING... 

IMPORTING SemPrim[Time, <, <] 

reg : VAR Registers 

val, valO , vail , val2 : VAR Values 

read(reg, val) : Events 
write (reg, val) : Events 

Last Write (reg, val, o, t) : bool = 3 to : to < t A o(write(reg, val))(to)A 

(V vail : vail / val => -io(write(reg, vail)) during {to,t]) 

NoWrite(reg, 0 , t) : bool = V to, val : to < t => ~'o(write(reg, val))(to) 

ReadWriteAx : AXIOM 

o(read(reg, val))(t) => LastWrite(reg, val, o, t) V NoWrite(reg, o, t) 

Observe that in case of simultaneous writes a non-deterministic choice is made. 
Any arbitrary value is allowed if there are no preceding writes. Finally we intro- 
duce a convenient abstraction from the values read or written. 

read(reg) : Events 
write (reg) : Events 

AbstrReadAx : AXIOM o(read(reg))(t) (3 val : o(read(reg, val))(t)) 

AbstrWriteAx : AXIOM o(write(reg))(t) (3 val : o(write(reg, val))(t)) 

END RegisterComm 



Gas Sensor Assume given a gas sensor which updates a boolean register 
GasPresent at least once every WritePeriod time units. Moreover, assume each 
update reflects the current state of the gas. 

ExplReg : theory 

BEGIN 

IMPORTING ExplEx 
Registers : NONEMPTY_TYPE 
Reg Values : TYPE = bool 

IMPORTING RegisterComm[Registers, RegValues, Time, <, <] 

GasPresent : Registers 

EGS : setof[Events] = {e | e = gas V e = write(GasPresent)V 

3 val : e = write(GasPresent, val)} 



WritePeriod : NonNegTime 

AGSl : Assertion = A o : V t : o(write(GasPresent)) in [t, t 3- WritePeriod] 
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AGS2 : Assertion = 

A 0 : V f, val : o(write(GasPresent, val))(f) => val = o(gas)(f) 

AGS : Assertion = AGSl A AGS2 
GasSensor : Gomps = spec(EGS, AGS) 

Gas Sensor Control The goal is to specify a component which reads register 
GasPresent and controls the engine. Hence it has the following alphabet. 

ESG : setof[Events] = {e | e = engine V e = read(GasPresent)V 

3 val : e = read(GasPresent, val)} 

A possible specihcation of the control component could express that register 
GasPresent is read at least once every ReadPeriod time units. 

A o : V f : o(read(GasPresent)) in [t,t + ReadPeriod] 

When reading a value TRUE from this register, the engine is stopped within 
SensorGontrolDelay time units, i.e., given o, for all t, 

o(read(GasPresent, TRUE))(f) => -io(engine) in [f, f + SensorGontrolDelay] 

Then we can prove that together with GasSensor this implies Gontrol, assuming a 
number of constraints on timing constants ReadPeriod and SensorGontrolDelay. 

Again, however, we prefer to avoid the choice of internal reading periods and 
assumptions about internal response times. Here it is indeed possible to give a 
specihcation without introducing new timing constants. The key idea is that the 
response deadline should not depend on the time when GasPresent was found to 
be true, but on the previous read event. Observe that when gas becomes present, 
it might take at most WritePeriod before GasPresent is changed accordingly, 
and this might happen just after the previous read. Hence we have to switch the 
engine off within GritGasPeriod — WritePeriod after the previous read event. 

<= GritGasPeriod 



<= WritePeriod 




<= GritGasPeriod - WritePeriod 
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In the specification below, the previous read is not mentioned explicitly, but only 
the preceding non-read period. To be able to stop the engine in time, the register 
has to be read at least once every CritGasPeriod — WritePeriod time units. 

reg : VAR Registers 

OnceReadSince(o, reg, val)(ti, t2) : bool = 

ti < t2 A o(read(reg, val))(t2) A -io(read(reg)) during (ti, t2) 

OnceReadSince(o, reg)(ti, t2) : bool = 3 val : OnceReadSince(o, reg, val)(ti , t2) 

ASCI : Assertion = A o : V t : (3 ti , t2 : ti < tA 

t2 G [t,t -\- CritGasPeriod 44 >WritePeriod)A 
OnceReadSince(o, GasPresent)(ti , 12)) 

We specify that if a value TRUE is read at f 2 and any previous read event occured 
before t\, then the engine is switched off before G 3- CritGasPeriod — WritePeriod 
and it remains off as long as no value FALSE has been read. 

ASC 2 : Assertion = A 0 : V ti , t2 , is : 

OnceReadSince(o, GasPresent, TRUE)(ti, t2)A 
-io(read(GasPresent, FALSE)) in (<2,^3] =S 

(3 t : t G [t2,ti 3 - CritGasPeriod 44 >WritePeriod]A 
-'o(engine) during [tjts]) 

ASC : Assertion = ASCI A ASC 2 

SensorControl : Comps = spec(ESC, ASC) 



Verification of this Design Step To verify the design step, the most difh- 
cult part is to show that the assertions of the gas sensor and the sensor con- 
trol lead to control assertion AC. This is expresed by lemma GSAssert, assum- 
ing WritePeriod < CritGasPeriod. After proving OnlyDepEve(AGS, ECS) and 
OnlyDepEve(ASC, ESC), the parallel composition rule leads to the control spec- 
ihcation with the exception of a number of internal events. 

GSAssert : LEMMA WritePeriod < CritGasPeriod => Valid (AGS A ASC => AC) 

GSIntEve : setof[Events] = 

{e I e = write(GasPresent) V (3 val : e = write(GasPresent, val))V 
e = read(GasPresent) V (3 val : e = read(GasPresent, val))} 

GSPar : THEOREM WritePeriod < CritGasPeriod => 

(GasSensor // SensorControl ^ spec(EC U GSIntEve, AC)) 



By the hiding rule the internal events can be removed and hnally we can combine 
this design step with the previous one, viz. MSRef, leading to TLGSRef. 
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GSRef : theorem WritePeriod < CritGasPeriod => 

((GasSensor // SensorGontrol GSIntEve ^ Gontrol)) 

TLGSRef : theorem WritePeriod < GritGasPeriod => 

((Mine / / ((GasSensor / / SensorGontrol) GSIntEve)) MSIntEve ^ 
MineSystem) 

END ExplReg 

Similarly, we could specify an actuator for the engine and develop a discrete 
specification of a control component. Here we only show the basic ideas of the 
last step where a program satisfying this specihcation is developed. 



Platform-Independent Program Design To illustrate the basic ideas of our 
approach to platform-independent program design, we extend a simple impera- 
tive programming language with so-called timing annotations, written between 
brackets “[ . . . ]”. These annotations contain expressions with special timing 
variables m, mi, m2, . . . which are used to record and restrict the execution mo- 
ment of statements. The execution moment of a statement is a relevant point in 
time during the execution of the statement. 

Example 10 . Consider, as a simple example, the program 

read(ri, x)[ ml ] ; . . . y '■= /(*) • • • ; write(r2, y)[ > m -\- L ] < m -\- U \ . 

Annotation ml expresses that the execution moment of read(ri, x) is assigned to 
m. The annotation of write(r2, y) expresses that its execution moment should 
be after m -\- L and before m -\- U . Hence the timing annotations express the 
timing relations between relevant events, without further assumptions about the 
timing of intermediate parts. 

In our simplihed mine pump example, this leads to the following program. 

Let d = CritGasPeriod — WritePeriod. 

[mi := 0] ; 

while true 
do [ m2 := mi ] ; 

read(GasPresent, h)[ < m2 -f d, Imi ] ; 
if h then ,stop(Engine)[ < m2 d] fi 

od 

Observe that m2 records the previous read event (0 if there is no such event). 
The timing annotations require that a read event occurs within at most d time 
units after the previous one, and a possible stop action also takes place within 
this deadline, as the next picture shows. 
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stop(Engine) 



read(GasPresent, false) read(GasPresent,true) 




m2 <= d ml 



<=d 

With timing annotations there is no need to choose a reading period and, cor- 
respondingly, to determine an internal response time. Note that such a choice 
should depend on the platform; a short reading period gives a heavy periodic 
load, but a long period implies a short remaining response time and hence im- 
poses strong requirements on the timing of the response actions. 

In general, correctness of a program with timing annotations does not require 
any assumption about the execution platform such as the duration of statements, 
the number of processors, the mapping of processes to processors, and the par- 
ticular scheduling policy. Extracting a timed precedence graph from the program 
and scheduling it on a particular platform is considered as a separate activity. 



7 Concluding Remarks 

We have presented two approaches for a timed semantics of parallel components: 

— In the Rrst framework (Sect. 3) an observation function of a component con- 
tains only events of its alphabet. The semantics of parallel composition can 
either be formulated using the union of observations plus some synchronisa- 
tion constraint, or by requiring that an observation function of the parallel 
construct can be projected onto behaviours of the components. 

— In the second framework (Sect. 4) any arbitrary behaviour outside the alpha- 
bet is included in the semantics. Then the semantics of parallel composition 
is defined using a simple intersection of the sets of behaviours. 

A straightforward correspondence has been established between the two seman- 
tics approaches, using functions that add or remove the arbitrary events of the 
environment. 

Observe that these approaches also have their consequences for the allowed 
refinements, although we used the same refinement relation for both approaches 
(a simple set inclusion, similar to the trace inclusion ine.g. [01d85]). For instance, 
in the second framework the condition in the consequence rule can be weakened. 

Interesting is comparison with the refinement relation defined in [AH97], 
which requires that if an observation of the implementation is projected onto 
the alphabet of the specification, an observation of the specification is obtained. 
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In our framework this could be defined as 

cil ^ ci2 : bool = a(ci2) C a(cil) A (V o : obs(cil)(o) => obs(ci2)(o H a(ci2))) 

Observe that for reflexivity of A it is required that an observation function 
contains only events of the afphabet, i.e. property ObsInAlpha should hold. 

As mentioned in [AH97], this relation implies P // Q A P. This does not hold 
in our Rrst framework without environment events, but there we can hide the 
external events of the second component and get 

((compl // comp2) — (a(comp2) \ a(compl))) => compl 

In the second framework, which contains arbitrary environment events, we have 

cel // ce2 => cel 

since adding a parallel component simply restricts the set of behaviours. 

Clearly more work is needed to investigate various notions of refinement 
in combination with the real-time frameworks developed here and to study 
their mutual relations. Also relevant is a comparison of extensions to sequen- 
tial programs with a local state, similar to [Hoo94]. Another topic of future 
research concerns the specifications which are kept simple here, but might be 
more structured with, for instance, pre/post conditions or rely /guarantee (as- 
sumption/commitment) pairs. 

Current work includes research on the ideas of platform-independent design of 
real-time systems. Although an axiomatic semantics has been given for a simple 
language with timing annotations [HvR97], more work is needed to obtain a 
formal semantics of a more realistic programming language and to incorporate 
this into PVS. Also the design process, supported by compositional proof rules, 
requires further study. 
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Abstract. Objects are a convenient representation for building com- 
positional open systems. Many object models exist in the literature and 
building a new proof system for each is infeasible. Instead of constructing 
a new proof system from first principles, we show how proof methodolo- 
gies for non-object-oriented systems can be adapted. We give a sample 
object model that includes inheritance, active objects, and unbounded 
creation of both objects and threads. We show how a proof system for 
this model can be built from a modular concurrent logic. We also discuss 
the reuse of proofs during the construction of subclasses. 



1 Introduction 

The great promise of object-oriented technology is that it makes truly open 
systems possible. In a system where reusable and replaceable components are 
encapsulated as objects, upgrades can be effected by replacing individual com- 
ponents. Other system components are unaffected by such changes, as long as 
each replacement meets the specification of the original component. The dream 
of building applications by plugging together off-the-shelf software components 
is realizable in such a system. 

The choice of an object-oriented approach to open system construction im- 
pacts the way in which system specification and verification is carried out. A 
compositional approach is natural, due to the encapsulated nature of the system 
components. However, a number of design choices must be made when creating 
a proof system. For example, the underlying object model must be both simple 
enough to support compositional reasoning, and rich enough to model actual 
systems. Also, the proof system should support both proof and code reuse in 
subclasses. 

Many object models have been explored in the literature. Creating a proof 
system is difficult and error-prone work, so we want to avoid creating a new 
proof system for each model variation. We show how a non-object-oriented com- 
positional proof system can be adapted to an object-oriented setting. To do so, 
we first describe a simple object-oriented model containing a synthesis of ideas 
from the literature. The model is founded on atomic code fragments, pieces of 
executable code that execute atomically with respect to the rest of the system. 
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Methods are composed of such code fragments. Synchronization constraints on 
code fragments are expressed with guards. 

We consider the form in which object properties are expressed. Such proper- 
ties are put to two very different uses. The user of an object needs its abstract 
interface only, but the object implementor needs information about the concrete 
implementation of an object to create subclasses. For example, when creating a 
priority queue subclass from a generic queue parent class it is very important to 
know how the queue is stored internally. This leads us to distinguish between 
abstract and concrete properties of an object. Although this distinction is very 
language-dependent and perhaps somewhat arbitrary, it has been shown to be 
useful in structuring object class development [22]. 

We have chosen to express object properties in TLA [11] (Temporal Logic of 
Actions), although other concurrent logics could be used. Our proof methodology 
is founded on the abstract /concrete property dichotomy, and TLA’s Composition 
Theorem [2]. We use this theorem to prove an object’s abstract properties from 
its concrete properties, to prove properties of systems of objects, and to prove 
properties of a subclass while reusing proofs from the parent class where possible. 

The overall proof methodology is illustrated in Figure 1. We first prove 
concrete properties of an object’s methods from its source code. This step is 
language-dependent, and receives little attention in this paper. Next, the ab- 
stract property of the class is proved from the concrete properties via TLA’s De- 
composition Theorem. Classes which have had their abstract properties proved 
in this manner are then composed to prove the property of the system as a 
whole. 

Code reuse is achieved through local reasoning and composition, but global 
reasoning is often difficult to avoid. An example of this problem is given in [15]. 
The authors demonstrate that Segall’s PIF algorithm [20] (which they call the 
“gossip” algorithm) is very hard to reason about compositionally. We use this 
algorithm to illustrate our ideas, and give a compositional proof of its correctness. 

The rest of the paper is organized as follows. We first describe Segall’s PIF 
algorithm. We describe the object model in Section 2. In Section 3, we give the 
translation from the object model to TLA. We also present the proof methodol- 
ogy, showing the roles of both composition and concrete and abstract properties. 
Section 4 describes related work. We conclude with a few remarks on future re- 
search. 



1.1 Example: Segall’s PIF algorithm 

The PIF (propagation of information with feedback) algorithm sends informa- 
tion (the “gossip”) across the network from a root node (the “initiator”), then 
collects responses (the “feedback”) back at the root. It is used for both infor- 
mation scattering and gathering operations, such as a distributed summation 
algorithm [24]. The property provided by this algorithm is that the root knows 
that all nodes in the network have received the gossip, and that the feedback it 
receives has been collected from all nodes in the network. 
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Fig. 1. Proof Methodology 



The initiator begins the algorithm by sending the gossip to its immediate 
neighbors, as shown in Figure 2(a). It then waits for its neighbors to respond. If 
node j first receives the gossip from node i, then we say that i is the parent of 
j, as shown in Figure 2(b). Each node sends the gossip to all neighbors but its 
parent, then waits to receive a message from all nodes but the parent. Once this 
has occurred, it sends an acknowledgment to its parent. Once the initiator has 
received acknowledgments from all neighbors, it terminates the algorithm. 

Our formulation of this algorithm in object-oriented terms is very simple. We 
employ a single class of objects. Node, with a private method Gossip and a public 
method Start. Correctness of the algorithm is dependent on a number of envi- 
ronment assumptions, which we state explicitly. Segall’s PIF algorithm has been 
mechanically verified [8]. In this paper, we show how our general compositional 
technique can be applied to its proof. 



2 Object Model 

In this section, we describe an object-oriented programming model, for which 
we will construct a proof system in Section 3. Our object model is intended to 
reflect trends we expect to see in real concurrent systems of the future. It is 
similar to other concurrent object models, such as Orca [3] and Java [13]. 
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Fig. 2. Segall’s PIF Algorithm 



2.1 Basic Concepts 

An object is a named, encapsulated state container. The state cannot be accessed 
directly; the only external access is through method calls, or operations. An 
object is a concurrent entity. That is, objects can have multiple threads of control 
(or just threads) running in them simultaneously. For full generality, we place 
no a priori upper bound on the number of threads or the number of objects in 
the system. 

Atomic actions are expressed with atomic code fragments (or just fragments), 
which may range from individual machine instructions (or parts thereof) to 
large units of code. Since we can express arbitrary units of atomicity, arbitrarily 
complex actions can take place in a single atomic step. A method consists of a set 
of fragments with some control structure imposed on it. The control structure 
can use any of the usual constructs; e.g., sequencing and iteration. 

Synchronization constraints (both mutual exclusion and condition synchro- 
nization) are expressed with a guard on each code fragment. The meaning of 
the guard is that, if the associated code fragment executes, it does so atomically 
starting in a state satisfying the guard. The guard may only reference the state 
of the associated object and the executing thread^ . A trivial guard is true in all 
states. The guard plays much the same role as in Owicki and Gries’ system [17], 
ensuring that the local state meets some criterion before the following atomic 
step takes place. However, our construction differs from their await B then S 
construction in allowing method calls inside an atomic fragment. We describe 
method call semantics in Section 2.3. Like Owicki and Gries, we assume that each 

^ However, since object references may be part of such state, a guard can contain 
method calls. A guard may be evaluated an arbitrary number of times, so we do 
not want guard evaluation to change the state of any object. Hence, method calls in 
guards may only be to “read-only” methods. 
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fragment is terminating, as a non-terminating atomic action can never have any 
visible effect on the system state. 

Guards may become satisfied, and then be falsified again before a waiting 
thread has a chance to execute. To deal with starvation issues, we make two kinds 
of fairness assumptions about the system: weak fairness (a thread waiting on a 
continuously enabled guard eventually executes), and strong fairness (a thread 
waiting on an infinitely often enabled guard eventually executes). Although the 
set of threads in the system can be dynamic and unbounded, we show in section 3 
that existing techniques for fixed sets of processes can be adapted. 

For convenience in reasoning, we group objects with identical implementa- 
tions into elasses. Thus, proofs constructed for one member of a class apply to all 
instances of that class. For the moment, we assume that class implementations 
are fixed in advance, so that we may reason from the program text. This as- 
sumption does not hold for all languages. For example. Common Lisp [23] has a 
Meta-Object Protocol (MOP) that allows the user to construct and alter classes 
at runtime. Such systems introduce complexities that we do not address in this 
paper. 



2.2 Segall’s PIF Algorithm Revisited 

Figure 3 illustrates the concepts we have introduced so far. It is pseudocode, in a 
graphical form, for a class named Node that implements Segall’s PIF algorithm. 
The heavy lines denote atomic fragments. Arrows leading into atomic fragments 
are labeled with guard conditions. For convenience, each fragment is assigned 
a name, which is given at the top of the box denoting the fragment. Note that 
the control structure and the fragment structure can be viewed independently 
of one another. The dashed line and extra names in fragment SetParent will be 
explained shortly. 

The state of objects of class Node consists of two variables. Parent and 
Waiting. The Parent variable holds a node reference, thereby implementing the 
tree shown in Figure 2(b). If Parent = self, then the node is the initiator, shown 
in Figure 2(b) as pointing to “Caller”. The Waiting variable holds a set of node 
references. This is the set of neighbors to which the node has sent the gossip, 
but from whom it has not yet received the gossip. Initially, Parent is null and 
Waiting is empty. A non-null Parent and a nonempty Waiting imply that the 
node is participating in the outward phase of the gossip algorithm. 

The public interface to the Node class is the Start method. It has two frag- 
ments, Initiate and Done, each with nontrivial guards. The guard on fragment 
Initiate requires the calling thread to wait if this node is already participating in 
an execution of the gossip algorithm. If it is not, then this node is marked as the 
initiator by setting Parent to self . The Waiting set is initialized to all neighbors, 
and the gossip is sent to all neighbors. The thread then waits on the guard of 
fragment Done until the Waiting set is empty, signifying that the algorithm has 
run to completion. At that point, it executes a trivial atomic fragment and exits, 
signaling to the caller that the gossip synchronization is complete. 
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Parent : Node; 

Waiting : set of Node; 

initially Parent = null A Waiting = 0 

public method Start()'. 



Initiate 




private method Gossip(n : Node): 



SetParent 




active: 



Reply Parent 




Fig. 3. Gossip algorithm implementation for class Node 



The Gossip method is private, meaning that objects not of class Node do 
not have access to it. The argument to the method is of class Node, intended 
to be the caller sending the gossip. This method consists of two atomic code 
fragments, SetParent and ACK , each with a trivial guard. Fragment SetParent 
tests whether the gossip has been heard before, which is the case if Parent is 
non-null. If the gossip has not been heard, then Parent is set to the caller, and 
the Waiting set is initialized to all neighbors but Parent. Then the gossip is 
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sent to all nodes in Waiting (if any). If the node already had Parent set, then 
fragment ACK is executed. In that case, the caller must be some element of 
Waiting. Hence, we remove it from Waiting. The method then terminates. 

Objects of class Node are aetive objeets. That is, a thread of control is 
created when the object is created. The thread waits on the guard of frag- 
ment Reply Parent. For the initiating node, the thread never terminates, since 
Parent = null UNTIL Parent = self is satisfied. For all other Node objects, 
the guard becomes true when all neighboring nodes have sent the gossip. Then 
fragment ReplyParent can execute, which causes the node to call Gossip on its 
parent, signaling that it is done. The active thread then exits. In other types 
of objects, the active thread never terminates. Such objects exhibit a looping 
structure in the active code. 

Notice that trivial alterations to guards or the structure of the atomic frag- 
ments can result in an incorrect algorithm. For example, consider the effect of 
splitting fragment SetParent into fragments SetParent' and SendGossip as in- 
dicated by the dashed rectangle in Figure 3. Suppose that SetParent' retains 
SetParent’s trivial guard, and SendGossip also has a trivial guard. Let thread t\ 
execute fragment SetParent' , then be interupted before it can execute fragment 
SendGossip. Let thread t 2 execute fragment SetParent' , thereby removing the 
calling node, p, from Waiting. When thread t\ resumes, it will fail to call Gos- 
sip on p, since p ^ Waiting. Then p will never send an acknowledgement to its 
Parent, and by induction up the Parent tree, the algorithm never terminates. 

Another small alteration that affects the correctness of the algorithm can be 
illustrated with the nontrivial guards of method Start. The guard of fragment 
Initiate can be removed under the guarantee that only one thread is executing 
in Start over all nodes at any one time. However, the guard of fragment Done is 
vital. It causes the thread executing Start to suspend awaiting responses from 
all neighbors. This guard ensures that the synchronization promised by the al- 
gorithm actually takes place: the initiating method does not terminate until all 
nodes have received the gossip. 



2.3 Method Calls 

We now consider the semantics of a method call inside an atomic fragment. The 
problem we must consider is this: what happens when a method call is made in 
the middle of a fragment, but the called method consists of multiple fragments? 
Worse yet, what if the execution of those methods results in more method calls, 
causing a cascade of calls to take place? What is the meaning of atomicity in 
this situation? 

The answer lies in two mechanisms. First, method calls are composed of two 
distinct events: the eall and the return. We allow these events to be separated 
in the code. The method call returns a unique handle which can be used to test 
for completion of the call, and to retrieve return values upon completion. Due 
to the test for completion, the handle can be used in a guard to block until the 
called method returns. A synchronous method call is then one where the calling 
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thread blocks awaiting completion immediately after making the call; otherwise, 
the call is asynchronous. 

Second, if, inside an atomic fragment, a thread makes a method call and 
waits for its completion, then the call is nested inside the fragment. It must 
appear that the calling fragment and all events caused by the method call take 
place in a single atomic step. That is, the effect must be the same as though all 
other threads were suspended during execution of the method call. Nested atomic 
fragments are a way of implementing multi-ohjeet operations, atomic steps that 
access more than one object. They are closely related to nested transactions 
in concurrent databases. Note that such a fragment is not enabled unless all 
associated fragments can complete in a single atomic step. Hence, in general it 
is impossible to determine whether a nesting fragment is enabled solely from the 
state of its associated object. 



3 Proof Methodology 

Our goal is to construct a compositional proof system for the object model 
described in Section 2. However, we would like to avoid constructing it from first 
principles, as that is a time-consuming and error-prone task. Instead, we show 
how to construct a proof system from an existing compositional, though not 
object-oriented, concurrent proof system. We expect that other object models 
can have proof systems constructed in a similar manner. 

Our model and proof methodology are relatively independent of the under- 
lying logic. However, various logics may be easier or harder to work with in the 
context of this model. State-based models such as TLA [11] and Unity [5] favor 
a shared variable model. Action-based models such as I/O Automata [14] fa- 
vor a message-passing model. A concurrent object system, however, draws from 
both kinds of models. Methods share state of the enclosing object; objects send 
messages to (make method calls on) one another. Hence, either kind of logic 
may prove awkward for dealing with some constructs. In spite of this difficulty, 
we have chosen TLA (described in [2, 11] and elsewhere in this volume) as our 
underlying logic. This choice was somewhat arbitrary. Our example could be 
reworked, for example, to use UNITY [5] with the compositional techniques of 
Collette and Knapp [6]. 

Our general method is shown in Figure 1. We begin with the program text, 
using language rules to prove that each method implements a concrete property. 
In our case, this means that we give a TLA representation of each method, based 
on the language semantics ^ . These concrete properties are expressed relative to 
some concrete representation of the object state. We then use TLA’s Decom- 
position Theorem to prove that the concrete properties collectively implement 
the abstract properties of the object’s methods. These abstract properties are 
expressed relative to some abstract representation of the object state. Then we 

^ We do not use any specific language in this paper, but assume that some language 
supporting the object model is used. 
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show, using compositional techniques, that the objects in a system collectively 
satisfy some desired property. 

While this proof methodology may seem unnecessarily complicated, it has 
certain advantages. The concrete properties need only be proved once, from the 
program text. They can then be reused in subclasses. The abstract properties 
are closely related to the corresponding concrete properties. When creating a 
subclass, one simply shows that the changes made to the parent class do not vi- 
olate the environment assumptions of unchanged methods. When that is shown, 
the abstract properties can be reused as well. Global reasoning can be postponed 
to the composition step, when the various object classes are glued together to 
form a system. 



3.1 TLA Representations 

Our first task is to choose a TLA representation for the entities in our object 
model (see Figure 4). An easy choice is to make each object class a TLA module. 
TLA differentiates between internal variables, those not accessible to the envi- 
ronment, input variables, those manipulated by the environment and read by the 
module, and output variables, those which give information to the environment. 
Hence, the state of an object is represented by internal variables, since encapsu- 
lation makes such variables inaccessible to the environment. Because we place no 
a priori bound on the number of instances of each class, the state variables are 
actually infinite arrays, indexed by a number uniquely assigned to each object^. 



Object Model 


TLA Representation 


class 

class variables 
instance variables 
thread 

guarded atomic fragments 
method 

method call/return 
nested fragment 


module 

module internal variables 

arrays of module internal variables 

arrays of module input and internal variables 

atomic steps 

collection of atomic steps 
wait sets 

atomic step with environment assumption 



Fig. 4. Object model — TLA correspondence 



Instead of input and output variables, we have method calls and returns. 
Since they perform similar functions, we expect there to be a close relationship 
between the two. The obvious approach is to have a set of input variables for each 
method, corresponding to the parameters of the method, and output variables 
corresponding to return values. However, there are no bounds on the number of 



The number need only be unique over all classes of which the object is a member. 
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threads in the system, so we must resort to making such variables infinite arrays 
again, assigning each thread a unique number"^. 

By choosing an interleaving representation in TLA, we make TLA actions 
atomic. Therefore, we can represent each atomic fragment as a TLA action. 
However, such actions can operate on an unbounded number of instances of the 
class, and an unbounded number of threads in an instance. Hence, references to 
object and thread variables must be indexed with the unique numbers discussed 
above. Atomic fragment guards are represented as predicates over the initial 
(unprimed) state of the object and thread. 

We need a thread representation for recording internal thread states, includ- 
ing a “program counter” . We employ the infinite array solution again, changing 
variable names as needed to avoid collisions, and introduce the notion of a wait 
set for the program counter. Specifically, we associate a set Qm of states with 
each method M . All threads suspended on a guard in M are in one of these 
states. The set of states for method M is assumed to contain the distinguished 
states and Method calls result in the creation of a new thread, 

which is placed into When a thread completes execution, it is placed 

in Hence, the inputs of an object are its associated eall sets, and its 

outputs are its associated return sets. 

Finally, we turn our attention to nested fragments. Encapsulation makes 
these difficult, as we cannot be sure when such fragments are enabled. The 
solution is to assume that the called method has some property P when called 
atomically. This assumption is used to compute the effect of the calling fragment, 
and is added to the environment assumption for that method. When classes are 
composed, we verify such assumptions. Note that TLA’s Composition Theorem 
is able to cope with mutually recursive nested calls, in much the same way that 
it can be used to prove properties of mutually recursive modules. 

To apply TLA’s methods, we first identify system actions. The actions Am 
associated with a method M are its set of fragments. That is, executing a frag- 
ment (taking an action) moves a thread from one state to another. We write 
A{t) to indicate the actions that are enabled for thread t; we write Enabled {t) 
to indicate that A{t) is nonempty; that is, thread t is enabled. Eigure 9 shows 
the set of actions {NSTART, NDONE, SETPAR, ACK , REPLY) for a Node 
object. The set of actions corresponds to the set of guards, or fragments, shown 
in Eigure 2. 

We introduce some shorthand to avoid redundant expressions in our proper- 
ties. When moving a thread from one wait set to another, we use the following 
notation: 

move {t {x) , q, s) = t {x) = Nchoose (q) A q' = q — {t (a:)} A s' = s U {t (s)} 

The Choose operator was used by Lamport [11] equivalently to Hilbert’s e 
operator [12]; that is, it represents a fixed but arbitrary choice. Our Nchoose 

* Since a method call spawns a new thread, each thread executes in only a single object. 
Hence, the thread number need only be unique with respect to threads running on 
the same object. 
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operator is defined in terms of the e operator to mean nondeterministic choice 
from a set (see Appendix A). The meaning of the move macro is that some 
thread t, with local variables x, is moved from wait set q to wait set s. We 
will see later, when we consider the problem of unboundedness, that in some 
instances this is not strong enough; we need fair nondeterministic choice from a 
set. 

The second piece of shorthand expresses the creation of a new thread. We 
create threads at method call time, as follows: 

call {t , m {x)) = A t' = Nchoose ( r/jreads) 

A Threads' = Threads — {t'} 

A U t' (x) 

We assume two modules for assigning thread (Threads) and object (Objects) 
numbers. Each returns a unique ID, a “ticket”, when called. As these modules 
are extremely simple, we omit them. 

3.2 Rely/guarantee Properties 

Objects are usually not intended to operate in arbitrary environments. Correct- 
ness of an implementation is frequently contingent on the environment using 
the object in a “well-behaved” manner. For example, Segall’s PIE algorithm as- 
sumes that the environment will not simultaneously call Start on two distinct 
Node objects. We employ the rely- guarantee style of writing properties to state 
such requirements. An object relies on the environment to provide some prop- 
erty; in return, the object guarantees to provide some other property. We use 
the TLA i|> operator to write such properties: E ^ M means that the machine 
(guarantee) property M holds for at least one step longer than the environment 
property E holds. 

In Segall’s PIE algorithm, we want to specify that the call to Start on the 
root gossiper (or initiator) does not complete until all nodes have heard the 
gossip. In addition, we want to specify that a gossip step is one in which a node 
that has heard the gossip tells it to a neighboring node that has not. Finally, 
we want to say that a gossip step will eventually happen whenever it is possible 
(liveness) . 

The variables we need to define our system are given in Figure 5. TV is a 
parameter, indicating the number of nodes in the system. The Nbrsi sets indicate 
the geometry of the network. The set NbrSi contains all immediate network 
neighbors of node i. These two values are rigid variables; they are fixed for any 
given instance of the system. 

The flexible variables hold the current state of the system. They are cat- 
egorized as internal variables, those not accessible to the environment, input 
variables, those manipulated by the environment, and output variables, those 
which give information to the environment. The internal variables of most inter- 
est are those named Heard i, . . . , Heard n- The variable Heard i is true iff node 
i has heard the gossip. The other flexible variables are all wait sets associated 
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Rigid Variables: 

N : Integer; 

Nbrsi , . . . , NbrsN ■ set of Node; 

Flexible Variables: 

1. Internal Variables 

Heardi , . . . , Heard n '■ Boolean; 

Startr'\- • • , StartT‘ ■ set of Thread; 

2. Input Variables 

Start^^\ . . . , Starfj^‘‘ : set of Thread; 

3. Output Variables 

• • • , : set of Thread; 

Abbreviations: 

Path{i,j) = j € Nbrsi V (3A; :: Path{i,k) A Path{k,j)) 

start = {StartT", Starfj^" , Startr'\ ■ ■ ■ , StartT\ Start^^'^''’^ , . . . , Start’S^'‘’'" } 
i = all input variables 

e = all internal variables 

o = all output variables 

all = j U e U o 



Fig. 5. Gossip system variables 



with method Start. Input is given to the system by calling Start. Output from 
the system consists of an indication that method Start has finished execution. 
There is also an internal wait set associated with the method, whose utility we 
will see shortly. 

Finally, we list some abbreviations that are used for convenience in writing. 
The statement Path{i,j) means that there is some path in the network between 
nodes i and j. We use the abbreviations i, e, and o to refer to all input, internal, 
and output variables, respectively. The abbreviation start refers to all wait sets 
associated with method Start. Finally, all refers to all flexible variables. 

We write our specification as shown in Figure 6. The machine specification M 
has hidden variables, e, the set of all internal variables. Hidden variables aside, 
the specification is represented in normal form by GM . The initial condition is 
given by INIT. It states that all of the Heardi variables are false, that all the 
wait sets are empty, that no node is in its own set of neighbors, that the network 
is symmetric (i.e., it is always possible to reply to a message), and that there 
is a path between any two nodes in the system. The next-state relation NEXT 
states that there are three possible steps of the system: START, GOSSIP, and 
DONE. A START step can be taken when a call has been made to the Start 
method. This step moves the calling thread into the internal wait set Start'^°’^^ 
on the called node and sets its Heard variable to true. The GOSSIP step can be 
taken whenever a node with Heard true is adjacent in the network to a node with 
Heard false. When the step is taken, the neighbor’s Heard variable is set to true. 
The DONE step is taken when Heard is true for all nodes. The calling thread 
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M = 
GM = 
INIT = 

NEXT = 
START = 

GOSSIP = 

DONE = 

GF = 



3e:: GM 

INIT A A GF 

A (V 4 : 1 < 4 < JV :: ^Heard^ A Start f‘ = 0 A Start^'^ = 0) 

A / (Vi : 1 < i < N :: i ^ Nbrs i ) 

A (Vi, j : 1 < i,j < N :: {i ^ Nbrsj j 6 Nbrsi) A Path {i,j)) 
START V GOSSIP V DONE 

A3i : l<i<JV:: move (i, Start A ->Heardi A Heard'i 

A UNCHANGED (a// EXCEPT Heardi) 

A BijJ : 1 < ijJ < N :: Heardi A -^Heardj A j € Nbrsi A Heard'j 
A UNCHANGED (a// EXCEPT Heard j) 

A 3 i : 1 < i < JV :: mot;e (i, Start^^ , Start"‘'^’’’') 

A (Vj : I < j < N :: Heardj) 

A UNCHANGED (a// EXCEPT Start'i“"'\ Start'i'^^'"''") 

(JVSXT) 



Fig. 6. Gossip system specification 



is moved into the wait set on its node, signaling to the environment 

that the operation has completed. Finally, we have the fairness condition GF . 
It states that NEXT is executed in a weakly fair manner. 



E = 3 started, thrd, obj :: EINIT A a[ENEXT] 

{ i, started ) 

EINIT = -^started A Vi : 1 < i < JV :: StaHT'"''" = 0 

ENEXT = A ^started A started' A 1 < obj < JV A call {thrd, obj.StartQ) 
A UNCHANGED (i EXCEPT obj.StarH‘'“) 



Fig. 7. Gossip system environment assumptions 



The gossip algorithm does not operate in a vacuum; it relies on certain as- 
sumptions about its environment, listed in Figure 7. The environment has three 
hidden variables: started, which records whether method Start has been called 
on some node, thrd and ohj, which are junk variables used to set up a call to 
Start. The initial condition is described by EINIT: started is false, and all of 
the output variables of the system are empty. At each step, the environment can 
take some action that does not change the system’s input variables and internal 
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variable started, or it can take step ENEXT . Due to the variable started, this 
step can be taken at most once. If it is taken, a call to method Start is invoked 
on some node. In this way, we ensure that the system is used at most once. Note 
that there is no fairness requirement; the environment need not ever call Start. 

From these specifications, it is possible to prove that the system E ^ M 
satisfies the following two desirable properties: 

(S) D (3i,t :: t £ Start\'^^'^^'^ (V j :: Heardj)) 

(P) D {3i,t :: t £ Start*i°-^^ t £ Start^^*''^™) 

Property (S') is a safety property. It says that, in any state where there is a com- 
pleted call to Start, all nodes have heard the gossip. Property (P) is a progress 
property. It states that if a call is made to Start, then it eventually completes. 
The proofs are very straightforward, and are left to the reader. 



3.3 Concrete/ Abstract Properties 

We intend to use object properties in two very different ways. First, the user 
of an object wants to know its type; that is, the interface it provides and the 
guarantees made on that interface. Second, the object designer wants to know 
implementation details for the purpose of designing subclasses. The difference 
here is the same as that of Java interfaee and elass. The first gives informa- 
tion about behavior of the object only; the second gives information about the 
implementation of that behavior. For the first purpose, the object properties 
should refer only to the object interface; internal details should be abstracted 
away. However, in the second case we do want internal details. Multiple im- 
plementations are possible for any given interface, so construction of a correct 
subclass often depends on implementation details of the parent class. (See [22] 
for a formal approach to making this distinction.) 

We call properties of the first type abstraet. They refer only to the externally 
visible portions of the object, respecting the encapsulation boundaries. Proper- 
ties of the second type are called concrete. These properties carry details of the 
internal implementation of the object. It is important that there be a close cor- 
respondence between the concrete and abstract properties of an object. In this 
section, we show how to derive an object’s abstract properties from its concrete 
properties. We do so using the Composition Theorem. 

The variables we need to define a node are given in Figure 8, divided, as 
before, into rigid and flexible variables. The parameter m is the number of nodes 
in the neighborhood; those nodes are contained in the set Nbrs. The variables 
Parent and Waiting describe the most significant parts of the state of the node. 
Parent is a Node, the parent of this node in the abstract tree of gossipers 
shown in Figure 2(b). Waiting is a set of Node, the neighbors that have not 
yet contacted this node, as shown in Figure 2(a). The variabled named junk is 
needed only for spawning threads during a method call. Its value is never needed 
again. The other internal, input, and output variables are wait sets for methods 
Start and Gossip, both on this node and on its network neighbors. 
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Rigid Variables: 

m : Integer; 

Nbrs : set of Node; 

Flexible Variables: 

1. Internal Variables 

Parent : Node; 

Waiting : set of Node; 

Starr‘^'‘ : set of Thread; 
junk : Thread 

2. Input Variables 

StarP"^", Gossip'^'^" : set of Thread; 

• • • , StartZ'"''" , GossipZ^"''" , ■ ■ ■ , GossipZ'"''" ■ set of Thread; 

3. Output Variables 

Start"^'^’'" , Gossip"^'^’'" : set of Thread; 

StartZ^‘‘ , . . . , StartZ‘‘ , GossipZ^‘‘ , . . . , GossipZ‘‘ '■ set of Thread; 

Abbreviations: 

ni = all input variables 

ne = all internal variables 

no = all output variables 

start = Start'"‘^'\ Starf'^^'^’^ } 

gossip = {Gossjp““, Gossip"'"’'"} 

others = {starts", StartZ" , Start’Z ^'^’’’' , . . . , StartZ'""" ] 
otherg = { GossipZ", ■■■, GossipZ" , GossipZ^"''" , • • • , Gossip"'"’'"} 
other = others U otherg 
nail = ni LI ne LI no 



Fig. 8. Gossip node variables 



Finally, we list some abbreviations that are used for convenience in writing. 
We use the abbreviations ni, ne, and no to refer to all input, internal, and output 
variables, respectively. The abbreviation start refers to all wait sets associated 
with method Start, and likewise for gossip and Gossip. We write others to refer 
to all wait sets related to method Start on other nodes, and likewise for otherg 
and Gossip. We write other for all wait sets on other nodes. Finally, nail refers 
to all flexible variables. 

The node specification is given in Figure 9, and the environment assumptions 
are stated in Figure 10. This specification is a straightforward translation of the 
pseudocode of Figure 3 into TLA notation. We have added only two kinds of 
items: references to the wait sets, and a fairness condition. Note that we did not 
need to use wait sets in the REPLY step, as there is exactly one thread waiting on 
that step. We only need wait sets to represent method call and return semantics. 

The environment assumptions are related somewhat to those for the entire 
system. The environment is allowed to make at most one call to method Start 
(due to the nstarted variable). That is, step CSTART is taken at most once. The 
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JVM = 
GNM = 
NINIT = 
NNEXT = 
NSTART = 

NDONE = 
SETPAR = 

ACK = 

REPLY = 

GNF = 



3ne :: GNM 

NINIT A □[JVJV£:jVr]<„,,„„) A GNF 

self ^ Nbrs A Parent = null A Waiting = 0 A Start™'^'^ = 0 
NSTART V NDONE V SETPAR V ACiVV REPLY 
A move (t, StarP‘‘" , Start'"'^'''^ A Parent = null A Parent' = self 
A Waiting' = Nbrs A (V n € JV6rs :: call {junk, Gossip„{self))) 

A UNCHANGED (^Start"'"’^" , gossip , others^ 

A moi;e (t, Starr"" , Starf^""'") A = 0 

A UNCHANGED (() nail EXCEPT Start'""" , Start''"''"'") 

A moi)e (t(n), Gossip""", Gossip''"''"'") A Parent = null A Parent' = n 
A (Vp € Waiting' :: call {junk, Gossipp{self))) 

A Waiting' = Nbrs — {n} A unchanged {start, others) 

A move {t{n). Gossip""", Gossip''"'"''") 

A Parent ^ null A Waiting' = Waiting — {n} 

A UNCHANGED {Parent, start, other except ack) 

A Parent ^ null A Parent ^ self A Waiting = 0 
A call {junk. Gossip parent{self)) 

A UNCHANGED (na/J EXCEPT reply, Gossip"pll^^i) 

w<„,,„„)(JVJV£:jvr) 



Fig. 9. Gossip node specification 



NE = 
NINIT = 

NENEXT = 
C START = 

CGOSSIP = 



C OTHER = 



3 thrd, nstarted :: NINIT A a[NENEXT] 

^ ni, nstarted ) 

A Start""" = 0 A Gossip""" = 0 A ->nstarted 
A (Vn 6 Nbrs :: Start'f'"''" = 0 A Gossip'f'"''" = 0) 

GST ART V CGOSSIP V COT HER 
A call {thrd, StartQ) A -^nstarted A nstarted' 

A UNCHANGED (m EXCEPT Start""") 

A call {thrd, Gossip{p)) A p € JV6rs 
A (Vf(?) 6 Gossip""" U Gossip''"'"''" :: p ^ q) 

A UNCHANGED (m, nstarted except Gossip""") 

A (Vp 6 JV6rs :: p. Start""" C p. Start"""' 

A p. Gossip""" C p. Gossip"""') A unchanged i^Start""" , Gossip""") 



Fig. 10. Gossip node environment assumptions 
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environment can make calls to method Gossip, subject to certain restrictions. 
These are, that the parameter passed to that method must be a node in Nbrs 
and that no two calls to Gossip pass the same parameter (bounding the number 
of possible calls to the size of Nbrs). The environment is also allowed to call 
Start and Gossip on other nodes, without restriction. The abstract properties 
of a Node object should have reference simply to the Start method, since the 
Gossip method is not visible. 

As noted above, there should be a close correspondence between the concrete 
and abstract properties of an object. In fact, the concrete properties should im- 
plement the abstract properties. However, the concrete properties are for each 
method in isolation, and the abstract properties are for the object as a whole. 
Environment assumptions on the state variables of an object should disappear, 
leaving only assumptions about the calling patterns and values of the environ- 
ment. In short, we need to show that a set of lower level modules (the concrete 
properties) implement a set of higher level modules (the abstract properties). 
TLA’s Decomposition Theorem is designed for just such a task. 

The composition of Node[l], . . . , Node[n] has variables that do not appear 
in the system specification, and takes steps that do not appear there. Thus, we 
apply the refinement of Figure 11 to the composition. In fact, we apply only the 
refinement on states in the upper half of the figure; the refinement on actions in 
the bottom half will be shown to follow. All of the ACK , REPLY , and NDONE 
steps of the composition collectively make up a single DONE step of the system. 



System Values 


< — t 


Local Values 


Variables: 




Variables: 


NbrSn 




Nbrs [n] 


Heard n 




Parent[n] ^ null 


Starfif" 






StartT'" 






StartT"''" 






Steps: 




Steps: 


INIT 




Vn :: NINIT„ 


START 




3n :: N START „ 


GOSSIP 




3n :: SETPAR„ 


DONE 




3 n :: ACK„ 

3n :: REPLY,, 
3n :: NDONE„ 



Fig. 11. Refinement: concrete to abstract 



Lemma 1. C{NM) = NINIT A n[NNEXT]^„^^„„^ 

Proof. NM exhibits finite invisible nondeterminism, so the result follows from 
Proposition 2 of [1], and Propositions 1 and 2 of [2]. □ 
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Lemma 2. C{M) = INIT Aa[NEXT\^^„) 

Proof. M exhibits finite invisible nondeterminism, so the result follows from 
Proposition 2 of [1], and Propositions 1 and 2 of [2]. □ 

Lemma 3. C{E) = E 

Proof. E exhibits finite invisible nondeterminism, so the result follows from 
Proposition 2 of [1]. □ 

Lemma 4. NM A NE Parent = n is stable, n ^ null. 

Let: s, s' be states, A an action of C{NM). 

Prove: {s \= Parent = n An ^ null) A sAs' s' |= Parent = n 

{1)1. A = NSTART Parent = null 

{1)2. A = SETPAR -A- Parent = null 

{1)3. A = NDONE \/ ACKM REPLY Parent' = Parent 

{1)4. NE -A- Parent' = Parent 

{1)5. Q.E.D. 

{1)1, {1)2, {1)3, {1)4, and Lemma 1. 

□ 

Lemma 5. C{E) no node takes both an NSTART step and a SETPAR step. 

{1)1. C{E) =^At most one node, say n, takes an NSTART step. 

Proof: Only the environment calls method StartQ. It does so from ENEXT 
only. ENEXT is enabled in the initial state, but disables itself. Hence, ENEXT 
is taken at most once, so at most one node has StartQ called on it. 

{1)2. Node n never takes a SETPAR step. 

{2)1. NSTART n D(Parent„ = n) 

Lemma 4, since NSTART sets Parent to self. 

{2)2. Parent ^ null =i> -.Enabled {SETPAR) 

{2)3. Q.E.D. 

Proof: {2)1 and {2)2. 

{1)3. No step on any node is enabled until n takes an NSTART step. 

{1)4. Q.E.D. 

Proof: {1)1, {1)2, and {1)3. 

□ 



Lemma 6. E A ^ =^\/ i,j :: i calls j.GossipQ at most onee. 

{1)1. i takes an NSTART step but never a GOSSIP step i calls j.GossipQ 
at most once. 

{2)1. i calls all nodes in Nbrs when it takes the NSTART step. 

{2)2. REPLY is never enabled. 

{2)3. Q.E.D. 

{1)2. i takes a SETPAR step but never an NSTART step i calls j.GossipQ 
at most once. 




Compositional Proofs for Concurrent Objects 319 



(2)1. i calls all nodes in Nbrs but Parent when it takes the SETPAR step. 
(2)2. i calls Parent if it takes a REPLY step. 

(2)3. Q.E.D. 

(1)3. Q.E.D. 

Proof: (1)1, (1)2, and Lemma 5. 

□ 



Lemma 7. V i :: C(E) A ^ NEi 

Proof: 

Let: xu = {nek, nik, nok) 

— {^1, • • • , ^k — 1, ^k + 1, • • • , ^n) 

(1)1. V j :: E A f\^^,NINITj A n[\/ ^^.{NNEXTk A x'k = Xk)] ^ NEi 
(2)1. yi-.-.E A f\^^^NINITj Aa[\J ^^^{NNEXTk A x'k =Xk)]^ NEINITi 

Proof: By the refinement, ^started => \J f^i~<nstarted => ^nstartedi, and 
all wait sets are empty. 

(2)2. Vi-.-.EA /\^^,NINITj A DiV ^^.(NNEXTk A x'k = Xk)] => 
0[NENEXT i\(^ ni,i,nstartedi ) 

(3)1. y i :: E ^ ^[NENEXTi]^ni^i^nstartedi) 

(4)1. E takes a stuttering step all input variables (i) and started are 
left unchanged. Hence, the input variables for node i (nii) and 
nstartedi (by the refinement) are left unchanged. Therefore, this is 
a stuttering step for NE^. 

(4)2. ENEXT -A- a call to Start is made on a single node and started is 
set. Hence, this is either a CSTARTi step (if node i was called), or 
a COTHER step (if some other node was called). 

(4)3. Q.E.D. 

Proof: (4)1, (4)2, and the definition of E. 

(3)2. y i,j :: E A a[NNEXTj A x'j = %)](ne;,noD 
n[NENEXTi] ^ ni,i, nstartedi ) 

(4)1. NM takes a stuttering step all output variables (noi) are left 
unchanged. Since NM cannot change nii or nstartedi, they are left 
unchanged as well. Hence, this is a stuttering step for NEi. 

(4)2. NSTARTj a COTHER step, CGOSSIP step, or both. 

Proof: Node j makes calls on Gossip on its neighbors, so this is a 
COTHER step for node i. It can also be a CGOSSIP step if node i is a 
neighbor of j. In that case, we must verify the conditions of CGOSSIP. 
Since all calls to Gossip are made with argument self, that follows 
by Lemma 6 and INIT. If the NSTARTj step corresponds to both a 
COTHERi and a CGOSSIP i step, they can be considered to occur in 
either order since they operate on disjoint sets of variables. 

(4)3. NDONEj,ACKj -a a stuttering step for NEi. 

(4)4. SETPARj -A- Node j makes calls on Gossip on its neighbors (except 
for its parent). Hence this case is equivalent to the NSTARTj case. 
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(4)5. REPLY j Node j makes a single call to Gossip on its parent. 

Hence this is either a C OTHER or a CGOSSIP step for NEi, but 
not both. 

(4)6. Q.E.D. 

Proof: (4)1, (4)2, (4)3, (4)4, and (4)5. 

(3)3. Q.E.D. 

Proof: (3)1, (3)2, and simple propositional logic. 

(2)3. Q.E.D. 

Proof: (2)1, (2)2, and the definition of NEi. 

(1)2. V j :: E A /\^^^NNEXT j ^ NEi 
Proof: (1)1 and Proposition 6 of [2]. 

(1)3. Q.E.D. 

Proof: (1)2 and Lemmas 3 and 1. 

□ 



Lemma 8. C(E)+„ A /\f^^C(NMj) ^ C(M) 

Proof: 

(1)1. ^ C{E) ± C{M) 

Proof: Proposition 5 of [2], with x = (e), e = o, y = {started , thrd) , and 
m = i. 

(1)2. C{E) A /\ jliC(TVMj) ^ C{M) 

Let: xu = {nek, nik, nok) 

— {^1, • • • , ^k — 1, ^k + 1, • • • , ^n) 

(2)1. E A f\^^^NINITj An[\J ^^^{NNEXTk A x'k =Xk)]^ INIT 

(3)1. /\ jliMTV/Tj ^ V j :: ^Heardi 
Proof: NINIT j Parentj = null, and by the refinement, Parentj = 
null -iHeardj. 

(3)2. /\^^^NINITj ^ V j :: = 0 A = 0 

Proof: Definition of NINIT j. 

(3)3. Q.E.D. 

Proof: (3)1 and (3)2. 

(2)2. E A /\f^^NINITj A U[\j ^^^{NNEXTk A z' = xu)] ^ U[NEXT]^,^„) 

(3)1. E takes a step then e and o are left unchanged, so this is a stut- 
tering step for 0[NEXT](^^^gy 
(3)2. NSTARTj START , by the refinement. 

(3)3. SETPARj GOSSIP, by the refinement, since all calls to Gossip are 
made with argument self , the argument is always non— null. 

(3)4. ACKj, REPLY yNDONEj DONE, by the refinement. 

(3)5. Q.E.D. 

Proof: (3)1, (3)2, (3)3, and (3)4. 

(2)3. Q.E.D. 

Proof: (2)1, (2)2, and the definition of C{M). 

(1)3. Q.E.D. 
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Proof: {1)1, {1)2, and Proposition 4 of [2]. 



□ 



Lemma 9. ^ A /\ ^ M 



Proof: 

{1)1. E A ^C{M) 

Proof: Lemma 8, since E C{E)^y and NMj C{NMj). 

{1)2. E A /\ ^ GE 

Proof: j\^^^iGNE j ^ GE, due to the refinement, as shown in Lemma 8. 
{1)3. Q.E.D. 

Proof: {1)1, {1)2, and Lemma 2. 



□ 

Now we show that the proof obligations of the Composition Theorem have 
been met. 



Theorem 10. ^ /\ ±o NMj) ^ E ±o M 

Proof: 

{1)1. 'i i y. C{E) A j) ^ NEi 

Proof: Lemma 7. 

{1)2. C{E)+, A /\^^,C(NMj) ^ C(M) 

Proof: Lemma 8. 

{1)3. E A /\]^^NMj ^ M 
Proof: Lemma 9. 

{1)4. Q.E.D. 

Proof: Steps {1)1, {1)2, and {1)3 and the Composition Theorem. 

□ 

Notice how the global reasoning needed in this example (see [15]) is postponed 
until the final composition step. This is one of the benefits of our approach; low- 
level (i.e., concrete) properties can be constructed with purely local reasoning. 
In the absence of private methods and nested objects, the abstract properties of 
individual objects can also be constructed with purely local reasoning. 

In the gossip algorithm case, the abstract properties are the same as the 
properties of the entire system, given in Eigures 6 and 7, since there are no other 
objects in the system. In a more complex example, we would place other objects 
in the system, and use the Composition Theorem to show how the synchroniza- 
tion provided by the Node objects helps the rest of the system meet its desired 
properties. 



3.4 Fairness 

Our translation from the object model to TLA has an undesirable property. A 
TLA step is enabled iff there is some thread in the associated wait set such that 
the associated guard is satisfied. However, an unbounded number of threads may 
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be waiting on the same satisfied guard. In this case, specifying fairness of the 
TLA step is not equivalent to specifying fairness over threads. The action can 
be selected fairly, and some thread waiting on that action can starve, if there is 
always at least one other thread in the same wait set. To express fairness over 
all threads, we also need fairness of the mechanism for selecting threads from a 
thread set. 

To express such a fair selector, we must take the thread guards into account. 
If a wait set can simultaneously have threads with both satisfied and unsatisfied 
guards (this can be the case for guards that reference thread variables), then 
we want to make sure the selector chooses a thread with a satisfied guard. We 
refer to such threads as enabled. A weakly fair selector will eventually choose any 
thread that is enabled every time the action is enabled. A strongly fair selector 
will eventually choose any thread that is infinitely often enabled when the action 
is enabled. 

In TLA+, the Choose operator is used to make a fixed, but arbitrary choice 
from a set (it is equivalent to Hilbert’s e-operator). We introduce the Nchoose 
operator, which nondeterministically selects an element of a set (see Appendix A 
for details). We introduce two thread-choosing operators based on Nchoose, one 
providing weak fairness and the other providing strong fairness. We assume that 
only one of the two operators is ever used on any given set of threads. 

Definition 11. Let T be a set of threads. Wchoose(T) and Schoose(T) each 
nondeterministically evaluate to some enabled element of T, such that: 

\ft£ T Ddri < oo) A WF T {WCHOOSE{T)) ^ 

□ O (-iEnabled (t)) V DO {t = Wchoose(T)) 



and 



Vt G T :: Ddrl < oo) A SF t {SCHOOSE{T)) ^ 

on (-iEnabled (t)) V no {t = Schoose(T)) 

That is, if T is always finite and Wchoose(T) is executed with weak fairness, 
then any given t that is continuously enabled when the Wchoose(T) step is 
enabled will eventually be chosen. If T is always finite and Schoose(T) is 
executed with strong fairness, then eventually any Schoose(T) step is taken 
at a time when t is not enabled, or t is eventually chosen. One consequence of 
these definitions is that Wchoose(T) and Schoose(T) steps are only enabled 
when there is some enabled element of T. 



3.5 Inheritance 

When deriving subclasses, we want to reuse as much of the correctness proof for 
the parent class as possible. For example, we have given a one-shot version of 
Segall’s PIF algorithm; consider a subclass that implements the algorithm in a 
reusable fashion. The subclass would behave just like the parent class, except 
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that it also has a reset method which sets its state back to the initial value. We 
expect the correctness proofs to be nearly identical. In fact, all we need do is 
assume that the system has at most one outstanding call to Start at any one 
time. Then we can divide any execution of the subclass into phases such that 
each phase is identical to an execution of the parent class. 

Methods that are identical in the parent class and the subclass may not 
need to be completely reverified. If the environment assumptions still hold, then 
the Decomposition Theorem’s premises are discharged. Hence, when verifying a 
subclass, we take the following steps: 

1. Verify concrete properties of new/modified methods; 

2. Reverify environment assumptions of unmodified methods. 

3. Verify abstract properties of new/modified methods. 

Step 2 discharges our obligations for unmodified methods; the abstract property 
still holds. 



4 Related Work 

Non-object-oriented compositional techniques have been pioneered by Barringer, 
Kuiper, and Pnueli [4], Pnueli [19], Stark [21], Pandyaand Joseph [18], Misra [16], 
and Abadi and Lamport [2], to name some prominent examples. Some of these 
techniques ([19] and [21]) are compositionally incomplete; that is, some prop- 
erties of a system cannot be deduced from properties of the modules and the 
composition rule. 

The POOL object-oriented language is given a proof system by de Boer [7] 
using rely-guarantee properties. The strength of this system is that it handles 
a dynamic set of processes. However, the composition rule can only prove pure 
safety properties; there is no composition rule for progress properties. Further- 
more, there is no mechanism for dealing with inheritance. The restriction to 
safety properties simplifies the composition rule. It consists of placing statements 
that might modify the global context in bracketed sections, and then applying 
a Cooperation test to the bracketed sections of each class. If all classes pass the 
cooperation test with respect to some invariant I, then the composition of all 
the rely properties guarantees I and the composition of all guarantee properties. 

DisCo [9] is an object-oriented specification language for reactive systems 
based on the joint action model of execution (see [10] for an example of its 
use). It has guarded multi-object actions instead of single-object methods. Like 
our model, DisCo has a formal basis in TLA; i.e., it can be considered another 
example of an object model with a TLA-based proof system. Its notion of object 
is somewhat different from ours, due to the use of joint actions rather than 
threads of control. 

Manohar and Sivilotti [15] provide a non-object-oriented composition rule 
based on modified rely-guarantee properties. These are rely-guarantee properties 
which can only refer to local variables (i.e., variables local to the process to which 
the property refers) . They are able to prove both safety and progress properties 
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with their composition rule. They use channel variables for communication be- 
tween processes that act very much like our thread sets. Their next operator is 
equivalent to Misra’s co operator and Abadi and Lamport’s ^ operator. 

Manohar and Sivilotti found that they were unable to prove all properties 
of a composition and blamed it on the modified properties. However, the real 
culprit is their composition rule, which is as follows. Given modules P\, P2, 
. . .with rely-guarantee properties (i?i, Gi), (i?2, G2), • • • , their composition has 
the rely-guarantee property {R, R\ A G\ A R2 f\ G2 f\ ■ ■ ■) if: 

R R\ 

R A R\ A G\ R2 

R A Ri A G\ A R2 A G2 ^ R3 



This is a very weak composition rule, and so is unable to handle Segall’s PIF 
algorithm. 



5 Conclusion 

We have described a simple concurrent object model, and shown how to con- 
struct a proof system for it by using an existing modular proof system, TLA. We 
have shown how compositional reasoning may be applied to facilitate both proof 
and code reuse. Our approach distinguishes between the concrete and abstract 
properties of an object. The concrete properties are closely related to the source 
code. They carry information about the implementation of the object needed 
by subclass designers. The abstract properties hide implementation details, and 
deal only with the properties visible to the object user. We showed how to verify 
the abstract properties of an object by applying the Decomposition Theorem 
to the concrete properties of that object. The properties of a system are veri- 
fied in a similar fashion, by composing the properties of its component objects. 
We introduced fair thread choice operators to express fairness over a dynamic, 
unbounded set of threads. 

Our object model was designed with trends in actual concurrent systems in 
mind. We are exploring the model further by building a distributed implemen- 
tation of Java, with some language modifications to support the model. The 
system design itself is object-oriented, and we plan to verify the correctness of 
some components with the methodology outlined in this paper. We expect this 
process to yield further insights into the structure of such proofs, and the pitfalls 
that await the verifier of concurrent object systems. 
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A Hilbert’s e-operator and nondeterministic choice 

Although Hilbert’s e operator [12] represents a fixed arbitrary choice, we can 
specify a sequence of nondeterministic choices with it. We assume a (possibly 
infinite) set of data items D. The universe U = N x Z1 is a set of 2-tuples of the 
form {i,d), i a natural number and d a data item. For any u = {i,d) € U, we 
define two projection operators: 



time {{i, d)) = i 
val {{i, d)) = d 

A sequence [ui , U 2 , . . .] is an element of , the set of finite and infinite strings 
over U. A temporal sequence is a sequence such that \/i,j,d : (i,d) € Uj :: i = j. 
Let S = [ui,U 2 , . . .] be a temporal sequence. Then the choice at step f of 5 is 
val (e {i, d) Ui), written Nchoose,(5). Since we are including temporal values in 
the set operated on by e, we can represent any sequence of choices out of the 
sets u\, U 2 , .... 

Fair nondeterministic choice can also be specified. A weakly fair sequence is 
a temporal sequence that is finite or satisfies 

:: (Vj '■ i < j {j, d) € Uj) (VA:3f : i < k < I :: Nchoose/ = d) 

. A strongly fair sequence is a temporal sequence that is finite or satisfies 
Vd :: (Vf3j '■ i < j {j, d) € Uj) (VA:3f : k < I :: Nchoose; = d) 




An overview of compositional translations 



Theo M.V. Janssen 



Computer Science, University of Amsterdam Plantage Muidergracht 24,1018TV 
Amsterdam, The Netherlands 
email: theo@fwi.uva.nl 



Abstract. Translations from one language to another arise in many 
fields of science: in computer science (compilers, data base views), logic 
(embeddings), natural language (translation), and philosophy (Montague 
grammar). In all these fields one can find the same method: composi- 
tional translation, or in mathematical formulation, algebraic translation. 
In some fields it is a standard method, in other fields a rare approach. 
The aim of this paper is to give an overview of compositional transla- 
tions. Special attention will be given to the notion ‘correct translation’ 
(which can be formalized by commutativity of a diagram). Furthermore, 
the first steps will be will be made towards a mathematical theory of 
translating. 

keywords Translation, correctness, compiler, embedding, view update, 
natural language, semantics, commutative diagram. 



1 Introduction 

In philosophy of language the following principle is well known : 

The meaning of a compound expression is a function of the meanings of 
its parts and of the rule by which the parts are combined 

It is called the compositionality principle or ‘Frege’s principle’. A survey of the 
role of the principle in philosophy of language is given in [14]. 

Computer scientists have been attracted by compositionality since the first 
steps towards a formal semantics. Two early quotations (from 1975) are by 
Milner : ‘ . . . any abstract semantics should give a way of composing the meanings 
of the parts into the meaning of the whole . . . ’ [21, p. 157], and Mazurkiewicz 
‘One of the most natural methods of assigning meanings to programs is to define 
the meaning of the whole program by the meaning of its constituents’ [19, p. 75]. 
In these cases there is no awareness of the relation with the (older) principle from 
philosophy. The first publication that mentions the compositionality principle in 
connection with programming language seems to be one from Janssen & van 
Emde Boas at the conference celebrating 100 years Frege’s Begriffschrift [7]. 

The principle characterizes the connection between a language and its seman- 
tic model. The mathematical formulation of this connection is that the language 
is organized as an algebra, the meanings form a similar algebra, and meaning 
assignment is a homomorphism. However, in most practical cases this situation 

W.-P. de Roever, H. Langmaack, and A. Pnueli (Eds.): COMPOS’97, LNCS 1536, pp. 327-349, 1998. 
Springer-Verlag Berlin Heidelberg 1998 
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does not arise so directly. Usually a logical language is used to describe the 
meanings. Since for logic an interpretation is defined, this indirectly defines a 
compositional meaning assignment. So compositional meaning assignment means 
in practice a compositional translation into a logic. 

Meaning assignment is just one example of a translation. Translations occur 
in many fields of science, and between several kinds of languages, and for sev- 
eral purposes. One finds them in computer science when a computer program 
is compiled in a machine code, when a view update is translated in a data base 
update, but also when a natural language is translated in another one by the 
computer. They arise when a logic is embedded in another logic, or when mean- 
ings are given for the expressions of natural language by defining a translation 
into logic. In many of these fields independently the same idea arose: use an 
algebraic (compositional) translation. 

Certainly not all translations are intuitively correct, and therefore in many 
disciplines formal correctness notions are given. Often this notion is based upon 
the commutativity of some diagram, and if that was not the case, it could be 
brought in that form. Surprisingly, in the field of algebraic compiler construc- 
tion there is no consensus on the notion ‘correctness’. We will discuss this issue 
extensively, and arguments in favor of one correctness notion will be given. It is 
not the correctness notion that is used in most articles on compilers, but it is 
the oldest one. The same correctness notion can also be found in several other 
fields where translations arise. 

The aim of this article (preliminary version of [15]), is to compare the alge- 
braic methods from these different fields and to discuss some of the fundamental 
issues, in particular the notion of correctness of translation. It turns out that 
the publications from the different fields of translation discuss the same issues 
and use related notions. Hence there seems to be a common basis for a general 
algebraic theory of translation. In this paper a first, small step will be made. 



2 Translating from programming langnage to 
programming language 

2.1 Compilers 

A compiler can be conceived of as a translation from a source language SL 
(for instance a high level programming language) to a target language TL (for 
instance some assembler language). It has been proposed by several authors to 
deal with compiler design in an algebraic way. In diagram I the components are 
mentioned that will arise in the discussion: all corners are algebras, and all arrows 
are homomorphisms. Below we consider one proposal for compiler correctness, 
in the next sections four other proposals will be considered. 

The intuitive ideal about a translation is that it formulates precisely the same 
information in another language. No information is added, nothing gets lost: the 
meaning of the target language is, if not identical, at least isomorphic with the 
meaning of the source language. This ideal is formulated by Polak [33] who 
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requires Enc (encode) to be the identity, and Mosses [27] who assumes Enc and 
Dec (decode) to be isomorphisms. Correctness is then defined as commutativity 
of diagram 1. 

As we shall see in the next sections, when compiler correctness has to be 
proven by describing Enc or Dec, this is never done by proving one of them 
to be an isomorphism. The explanation is that the involved languages are very 
different and have different meanings. In the next sections examples will be given 
which illustrate this point. Therefore it is not surprising that in the final version 
of Mosses paper [27], that is [28], a different correctness notion is used (viz. the 
one from sect. 2.2). The ideal of identity or isomorphism is reached only if the 
situation is designed with that aim (see sect. 6), or if one takes an abstract point 
of view (see sect. 9), but these cases do not arise, as far as I know, in articles 
about compilers. 



Comp 

bynsL 

IntsL 

Dec 

SemsL ' 2 

Enc 



SyuTL 

IntTL 

SemTL 



SL source language 

TL target language 

Synx algebra as syntax for x, 
where x=sl or x=tl 
Comp compiling homomorphism 
Intx interpretation horn, for x 
Semx algebra of meanings for x 
Dec decoding isomorphism 

Enc encoding isomorphism 



Diagram 1. Compiler correctness according to Polak [33, p. 17] and Mosses [27, p. 189]: 
there are isomorphisms Dec and Enc such that the diagram commutes in both direc- 
tions. 



2.2 The correctness notion of Thatcher et al. 

Certainly the most influential proposal for algebraic compiler construction is 
the one of Thatcher, Wagner and Wright [40]. It defines compiler correctness 
as commutativity of diagram 2. The proposal of Thatcher et al. is based upon 
the work of Morris [25] and aims at correcting, refining and completing that 
proposal. They do not present Morris’ original version (diagram 3); instead they 
say that his advise was to use diagram 2. This is justified in a footnote where 
they say that ‘Morris’ diagram had Dec: SempL SemsL, though in the text 
he uses Enc: SemsL SempL ■ Thus they suggest that by accident the wrong 
diagram was incorporated in Morris’ article. We shall return to this point in 
sect. 2.3. 

Let us now consider the example of a compiler given by Thatcher et al. 
The source language is a fragment of a programming language with 18 syn- 
tactic operations (forming for instance assignments, conditionals and the while- 
construction). SemsL is a kind of denotational semantics. Its primitive oper- 
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SynsL - 
IntsL 
SemsL - 



Comp 



Enc 



SyriTL 

IntTL 

SemTL 



SL source language 
TL target language 
Synx algebra as syntax for x, 
where x=sl or x=tl 
Comp compiling homomorphism 
Intx interpretation horn, for x 
Semx algebra of meanings for x 
Enc encoding homomorphism 



Diagram 2. Compiler correctness according to Thatcher et al. [40]: there is a homo- 
morphism Enc such that the diagram is commutative 



SynsL - 
IntsL 
SemsL ^ 



Comp 



Dec 



SynTL 

IntTL 

SemTL 



SL source language 
TL target language 
Synx algebra as syntax for x, 
where x=sl or x=tl 
Comp compiling homomorphism 
Intx interpretation horn, for x 
Semx algebra of meanings for x 
Dec decoding homomorphism 



Diagram 3. Compiler correctness according to Morris [25]: there is a homomorphism 
Dec such that the diagram is commutative 



ations are assign and fetch, together with general algebraic and arithmetical 
operations. The meanings of the syntactic operations are described by polyno- 
mials over the primitive operations. The target language consists of flow charts, 
and its meanings in SempL are unfolded flow charts. As they say, the radi- 
cal improvement in comparison with Morris lies in this part: making flowcharts 
algebraic. Enc is defined as a mapping from the carriers of SemsL into corre- 
sponding carriers in SempL- For instance, the functions from Environments 
to Environments are mapped to the functions from {Stacks x Environments) 
to {Stacks X Environments) that leave the stack unchanged. Next it is proven 
that Enc is a homomorphism. The proof requires the checking of the 18 syntactic 
operations, and uses many properties of SemsL and SempL- As a consequence 
both EncoIntsL and IntpLoComp are homomorphisms from SynsL to SempL- 
Since SynsL is an initial algebra, there is a unique homomorphism from SynsL 
to SempL, hence Enc o IntsL = IritpL ° Comp , so the diagram commutes. 

The definition of compiler correctness as commutativity of diagram 2 is, intu- 
itively, not satisfactory. In the left hand side of the diagram some programming 
language is given, together with the intended meaning of this language. The 
right hand side should tell a machine how to perform the actions described by 
the programming language. Since a compiled program should do what it has 
to do according to the semantics of the programming language, going through 
a compiler should be a way to obtain the originally intended semantics. Hence 
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the meanings of the target algebra should be interpreted in the original seman- 
tic algebra of the programming language in order to see whether the compiler 
yields the intended results. So for a correct compilation there has to be a de- 
coding mapping Dec: SerriTL SemsL such that diagram 3 commutes, i.e. the 
diagram of Morris gives the appropriate definition. 

These considerations can be illustrated by two examples of compilers for 
which the definitions diverge: an intuitively incorrect compiler, and an intuitively 
correct one. 

Example 1. Let SL be a programming language that has both positive and neg- 
ative numbers, and that has multiplication as operation. Suppose that in the 
interpretation of TL all information concerning signs is thrown away: SemxL 
operates only with positive numbers. Of course, this is not what intuitively 
would be called a ‘correct compiler’. According to the definition of Thatcher et 
ah, this would be a correct compiler since there is a homomorphism Enc such 
that diagram 2 commutes (let the image of a number be its absolute value) . Di- 
agram 3 cannot be made commutative: there exists no decoding Dec that could 
achieve this, because a positive number in SemTL then should have two images 
in SemsL- So, according to the definition of Morris, the proposed compiler is 
incorrect, and this is in accordance with the intuition. 

□ 

Example 2. Suppose SL has the syntactically distinct expressions —0 and -1-0, 
and both have semantic interpretation: the number zero. Suppose moreover that 
they correspond with two distinct expressions in TL (again —0 and -1-0), and 
that their interpretation in SemxL differs as well (say a different sign bit in their 
representation in the memory) . Let the decoding homomorphism Dec map them 
to the same value SemsL- the number zero. 

This compiler would intuitively be considered as correct. Indeed, diagram 3 
commutes, and the compiler is correct according the definition of Morris. There 
is is no encoding homomorphism Enc that makes diagram 2 commutative, so 
according to the definition of Thatcher the compiler would be incorrect. Note 
moreover that there is there is no isomorphism between SemsL and SemTL- 

Compilers resembling the one above were made in the seventies, an example 
is the CDC cyber. It had two representations for the number zero (positive and 
negative zero). Negation of a number (a string of bits) was very simple: replace 
each 1 by a 0, and each 0 by a 1. This number representation system was called 
‘one’s complement’. Later computers (e.g. the IBM 360) used another system 
(‘two’s complement’) which has only one representation for zero. 

□ 

This discussion shows that the notion ‘correct compiler’ is not formalized by 
diagram 2, but by diagram 3, so there has to be a decoding homomorphism. 

2.3 The correctness notion of Morris 

In sect. 2.2 it appeared that the definition of Morris was the correct one. But what 
about the suggestion of Thatcher et. al. that the diagram in Morris’ article was 
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not the intended one? Indeed, all the technical work in Morris’ article is about the 
encoding function Enc from source semantics to target semantics. However, he 
gives explicitly his argument: ‘It proves more convenient to define an “encoding” 
function Enc: SemsL SemTL than one in the opposite direction; it will be 
necessary to prove as a final step in proving the correctness to show that Enc 
has a decoding inverse Dec: SemTL SemsL [•••]’ [25, p. 150, +15]. Such a 
statement is repeated after the definition of Enc [p. 150, -2 ]. These quotations 
show that the occurrence of the decoding Dec in the diagram was on purpose, 
and not some printing error. As a matter of fact, Morris could prove properties 
of Enc instead of properties Dec because a situation like the one from example 
2 does not arise in his fragment. 

Morris’ correctness diagram can also be found in earlier publications by 
Burstal and Landin ([2] and by Milner and Weyrauch [22]). A variant is pro- 
posed by Chirica [3]: he does not use a decoding homomorphism, but family of 
homomorphisms. The great influence of Thatcher et al. [40] appears from the 
fact that their approach is followed without discussion in almost all later pub- 
lications. Significant in this respect is the change from the definition by Mosses 
in [27] to the one in [28] (i.e. Thatcher’s definition which just appeared). The 
publications which I found with a correctness diagram, have almost all the same 
diagram as Thatcher. They are Polak [33], Dybjer [6], Royer [35], Tofte [42], and 
Meijer [20]. The exception is T. Rus, who has his own diagram (see [36]), this is 
not discussed in this paper. 

One might wonder why the original position was so easily abandoned. An 
explanation could be the influence of category theory. By category theory one 
is challenged to construct pullbacks, and the encoding homomorphism turns the 
diagram into such one. In any case, some authors tried (in personal commu- 
nication) to explain Thatcher’s compiler definition with this category-theoretic 
argument. An additional factor is probably, that the examples discussed in the 
articles have an injective encoding (this is not made explicit in the articles, 
though) . In general, however, the encoding is no function at all, witness example 
2 . 



3 Translating from view language to database language 

In this section we consider a translation problem that arises in connection with 
databases. Usually individual users of a data base are not allowed to see all the 
data, let it be the full structure of the data base. They have only access to their 
own view, which gives a restricted, and maybe modified, perspective. The view 
facility allows each user to see the database in its own way. The relation with 
the original data base is given in the view definition, which maps a state of 
the database into a view state. Instructions which the user performs on his view 
have to be translated into instructions of the database itself. For queries this goes 
without complications. For updates this raises problems because there can be 
several data base updates that correspond to a given view update. Furthermore, 




An Overview of Compositional Translations 



333 



the update has to be done in such a way that also after further updates the data 
base remains in correspondence with the view. 

Bancilhon and Spyratos [1] study the problems mentioned above, and inves- 
tigate which translations are allowed. Their first step is to formulate the require- 
ments: updates can be undone, the composition of two updates is an update 
again, and the translation is a homomorphism. These properties are not for- 
mulated with commutative diagrams, but their proposal (their sect. 3) becomes 
more transparent if we do so. 

Definition 1. Let U be an algebra of view updates, where U is closed under 
the operations composition (;) and right-inverse (“^). Let Idb be the identity 
on the data base. A correct translation is a homomorphism with the following 
two properties: 

1. T{u; = Idb 



view language algebra, with opera- 
tions ; and 

translation homomorphism 
database update language 
(restructured as image of U) 
interpretation of U in the view 
interpretation of Ldb in the data 
base 

the views with update operations 
view definition 

data base states with state trans- 
formations 

Diagram 4. T is a correct translation of view updates if the diagram commutes 
(algebraic reformulation of Bancilhon of Spyratos [1, sect. 3] ) 



2. Diagram 4 commutes. 



U 



u 



Inti 



V 



fv 



Ldb 
IntuB 
Sdb 



T 

Ldb 

Intu 

IntDB 

V 

fv 

Sdb 



4 Translating from concurrent language to concurrent 
language 

Shapiro [38] presents a general method to compare languages, and his particu- 
lar aim is to compare concurrent programming languages. Such languages are 
difficult to compare because they use different notions of communication and 
synchronization and different models, and therefore their semantic models are 
often irreconcilable. The method Shapiro presents, is based on algebraic embed- 
dings. In another paper [26] the method is applied to compare languages defined 
by machines (Turing machines and finite automata). 
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The central notion in his approach is ‘observable behavior’: which in the 
present context means ‘state transitions’. The theme is the behavior of concur- 
rent programming languages with respect to their parallel composition operator. 
The relation ‘have the same observable behavior’ defines an equivalence relation 
on the programming obtained, and this relation can be characterized as the ker- 
nel of interpretation function Ob . These behaviors can be compared, and thus 
give a comparison of the languages. His key definition is given below; he calls 
‘sound’, what we called ‘correct’, otherwise the description is identical to his 
proposal. 

Definition 2. A translation homomorphism Tr is correct if there is a Dec such 



jCi algebra defining concurrent language Li 
Tr translation function 
C 2 algebra defining concurrent language L\ 

Oh\ mapping with observable behaviors as ker- 
nel 

O &2 mapping with observable behaviors as ker- 
nel 

01 set of observable behaviors 
Dec decoding function 

0 2 set of observable behaviors 

Diagram 5. Correct translation of concurrent languages according to Shapiro [38, p. 
200 ] 

A stronger notion is what he calls faithful: when Dec has an inverse. The 
meaning assignment Ob is compositional if that mapping defines a congruence 
relation. For these notions he proves some theorems, e.g. conditions when a 
correct translation is also faithful. 

His main theorems state of two properties of concurrent languages that they 
are preserved under correct translations: ‘interference freedom’ and ‘connection 
hiding’. For several programming languages it is proven either that they have 
such a property, or that they do not. Thus this method of comparison primarily 
yields many negative results: concurrent languages for which no embedding is 
possible. Positive results are more difficult to obtain because then details of the 
concurrent behavior have to be considered. That is done for some languages in 
[39]. Together with embeddings from the literature, it gives a catalogue in which 
22 concurrent languages are compared. 

5 Translating from logic to logic 

There are many logical languages, and between several of them translations have 
been defined. The purpose of such translations is to investigate the relation be- 
tween the logics, for instance their relative strength or their relative consistency. 



that diagram 5 commutes. 



£1 



Tr 



£2 



Obi 



Ob2 



Oi « ^ O2 
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If one considers the method behind such translations, it turns out that (al- 
most) always the algebraic method is used. We shall consider a famous example: 
Godel’s translation (denoted Gt) of intuitionistic propositional logic into modal 
logic (see e.g. [4], [8]). 

In intuitionistic logic connectives have a constructive interpretation. For in- 
stance (j) ^ tp could be read as ‘given a proof for cp, it can be transformed into 
a proof for ip’. The disjunction (py ip is read as ‘a proof for <p is available or a 
proof for Ip is available’. Since it may be the case that neither a proof for (p nor 
for ~^(p is available, it is explained why (p V ~'(p is not a tautology in intuitionistic 
logic . This explanation has a modal flavor, made explicit in the translation Gt 
into modal logic S4. In the clauses of the translation the negation does not occur 
because in intuitionistic logic ~^<p is defined as an abbreviation for ^ T, where 
T is ‘absurdum’. 

1. Gt(p) = Op, for p an atom 

2. Gt((/)V V-) = Gt{(p)y Gt{ip) 

3. Gi\(pAip) = Gt{(p) A Gt{ip) 

4. Gt(T) = T 

5. Gt(</> ^ip)=n [Gt{(p) Gt{iP)] 

Note that the translation ofpV^pisdpV (which is not a tautology in 

modal logic). 

It is not difficult to formulate this translation in an explicit algebraic format. 
We introduce an algebra TC for the syntax of intuitionistic logic. This algebra has 
has for instance the operator ILy which puts V between its two input arguments: 

ILy{(p, Ip) = (py Ip, where (p and ip are elements of IL. 

The operators and IL_^ are defined likewise. The generators of TC are 

±,p,q.. . 

For modal logic we do the same. Its syntactic algebra M has the operators 
M^, M^, M^, and Mq, and the generators C,p,q — The operator Mq, for 
instance, is defined by 

ML^{(p) =□ {(p), where (p is an element of A4. 

The translation Gt now becomes a a homomorhism from TC to an algebra M' 
derived from A4 . The operators in this derived algebra are and from 

the original algebra M, and a new one, viz. the polynomially defined operator 
ML^{ML^{X,Y)). Its effect is by definition: 

ML^{ML^ {X, Y)){Pi, ip) = 0[(p^ ip]. 

Of course, the operator ILy corresponds in the translation with My and /Fa 
with Ma. Furthermore, IL^ correponds with ML^{ML^{X,Y)). Finally, the 
generators C,p,q. . . of TC correspond with T, Dp, Oq ^ . . . respectively, which 
are the generators of A4'. 

The method of translating exemplified by Gt, viz. the algebraic method, is 
the standard method in the field of logic: the definition of translation follows 
the clauses of the grammar of the source language logic, and for each clause the 
translation is given by a (possible compound) expression in the target logic. A 
large number of translations between logics is collected by Epstein [8, Ghapter 
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10: ‘Translations between Logic’, pp. 289-314]. Almost all of them are homo- 
morphisms (there they are called ‘grammatical translations’), and the few that 
are not, are also in other respects deviant [p. 313]. It would be interesting to in- 
vestigate the semantic (model-theoretic) counterparts of such non homomorphic 
translations. 

6 Translating from natural language to natural language 

Many methods have been proposed for translating from one natural language to 
another. The Rosetta project of the Philips Research laboratories (Eindhoven, 
the Netherlands) has used one that is in that field very special: the compositional 
(algebraic) method. The syntax of the source language is organized as an alge- 
bra, the syntax of the target algebra is a similar algebra, and translating is an 
isomorphism. Their approach is illustrated by the following simplified example. 
Consider sentence (1), which has (2) as translation in Dutch. 

(1) Peter does not sing. 

(2) Peter zingt niet. 

The sentences have different syntactic structures: in English there is an auxiliary 
verb (do) that has no counterpart in the Dutch sentence. If one would design for 
each language separately context free rules producing the respective sentences, 
then the grammars would not be isomorphic. Nevertheless, in Rosetta the sen- 
tences are generated by isomorphic algebras, and below it will be explained how 
this is done. 

The generators of an algebra E for this fragment of English are Peter and 
to sing. For Dutch the corresponding generators are Peter and zingen. E has 
an operator Re,i that produces from the two generators sentence (3), and Rd,i 
produces likewise (4). 

(3) Peter sings. 

(4) Peter zingt. 

Furthermore there is an operator Re , 2 that takes as input a sentence and yields 
its negation. This is not a straightforward rule because the rule has to find the 
finite verb, move it to another position, and insert does and not. The Dutch rule 
Rd ,2 is simpler. So we have: 

(5) i?E, 2 (Re , 1 (Peter, to sing)) = Peter does not sing. 

(6) i?E, 2 (Rn.i(Peter, zingen)) = Peter zingt niet. 

The left hand sides of (5) and (6) describe how the sentence is formed. In (5) 
it says that Re,i is applied to two generators {Peter, to sing), and next Re , 2 is 
applied to the result. In algebra the left hand side of (5) is called a ‘term’, so a 
term represents a derivation of an expression. The terms corresponding with an 
algebra A form an algebra themselves, called the term algebra, denoted as Ta. 

As one sees, the terms (derivations) in (5) and (6) are isomorphic. This is 
also the case for the (large) fragments described in the Rosetta system. The 
isomorphism became possible by adopting the following points of view: 
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— The algebras are designed, and not discovered as (innate) properties of the 
mind. The latter is the opinion of a prominent tradition in linguistics. 

— The design of the algebras is guided by semantic insights: a syntactic operator 
corresponds with a meaning operation. This aspect constitutes a difference 
with many grammatical models in the linguistic tradition or in computa- 
tional linguistics. In sect. 7 more information will be given about meanings 
for natural languages. 

— Operators are powerful, they do more than just concatenation. They do not 
necessarily correspond with context free rules. 

— Algebras for different languages are tuned. The algebra for a language is 
not necessarily the algebra that would be designed for the language when 
considered in isolation: sometimes a decision for one language is influenced 
by phenomena in the other language. 



There are two properties of natural languages that cause differences in alge- 
braic respects with the framework described in other sections. 

The first is that natural languages are ambiguous. The algebra for a language 
is designed in such a way that an expression which has two different meanings, 
can be formed in different ways. It may be formed from different generators, or 
using different operators (or both). So, in algebraic terminology, two different 
terms may represent the same expression of the language. Hence the algebra 
for the source language is not an initial algebra. Since differences in the way of 
formation of an expression may correspond with differences in translation, the 
translation homomorphism is not based on the algebra for the source language, 
but on the term algebra that corresponds with that syntactic algebra. This is 
by its nature an initial algebra. For the target language the same argumentation 
applies, so the range of the translation is the term algebra which corresponds 
with the algebra for the target language. 

A second point is that natural languages have synonymous expressions; so 
one expression may have several equivalent translations. Rosetta aims at ob- 
taining all possible translations and (distinctly from most translation systems) 
does not select, by some criterion, one of those. This situation does not only 
arise for words, but also for operators: one construction in the source language 
can sometimes be translated by several constructions in the target language. 
Furthermore, different expressions may have the same translation. So there is 
a many-many correspondence between source and target language. For these 
reasons, the translation is defined between sets of expressions. In algebraic ter- 
minology the situation is as follows. The relation ‘are translation equivalent’ is in 
the system a congruence relation on (sub)expressions. This congruence induces 
a quotient algebra for each of the term algebras, and the translation is defined 
between these quotient algebras. Due to this quotient construction, the transla- 
tion homomorphism becomes an isomorphism. That the translation relation is a 
congruence relation is partially due to translation properties of natural language, 
but also due to the design of the algebra. 
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6.1 Correctness 

A translation from one natural language into another should to be correct. And 
by correctness is of course understood that the original and the translation have 
the same meaning. Since natural languages have an infinite number of sentences, 
correctness of translation is a property on an infinite set. The algebraic method 
reduces this to a finite property: if the translations of generators and of opera- 
tors are correct, the correctness for all sentences follows. Of the Rosetta system 
it is assumed, based on intuitions about translations, that the generators and 
operators are translated correctly. From that, the correctness of the whole sys- 
tem follows. This guarantee is something that other translation systems do not 
have, and is one of the advantages of the algebraic method. In proving compiler 
correctness the same situation arises, and the same guarantee can be given. 

The algebraic structure of Rosetta is described extensively in chapter 19 of 
[34]. It is summarized in diagram (6). 



Tb/^ - 
Ints 
SeniE - 



Tr 



id 



id 



Tu/^ 

Into 

Semo 



Tx term algebra for X, where 

A=A(nglish) or A=D(utch) 

Tr translation isomorphism 

= congrnence relation ‘translation 

equivalent’ 

Intx interpretation for X 
Semx meanings for X ; 
so SeniE = Semo 



Diagram 6. The algebraic structure of Rosetta for translating from English to Dutch. 
The translation is correct if the diagram commutes in both directions (see [34, ch. 19]) 



7 Translating from natnral language to logic 

7.1 Montague grammar 

Semantics of natural language is traditionally studied in the field of philosophy 
of language. Often meanings of natural language expressions are represented in 
some logic. For long, say until 1975, in all articles it was more or less stipulated 
which formula was the correct meaning representation of a given sentence (its 
‘logical form’). This situation has been characterized as follows: it seemed that 
a ‘bilingual logician’, who knew logic and who knew natural language, had pro- 
vided the formula. An opinion often heard (the ‘misleading form thesis’) was 
that there exists a great difference between the sentence and its logical repre- 
sentation. Therefore it was proposed to design for certain purposes a ’purified 
natural’ language. So natural language and logical languages were two worlds, 
with only loose connections. 

A radical change in this situation was brought by Richard Montague, a math- 
ematical logician. He developed a method to relate natural language and logic 
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in a systematic way, presented a semantical interesting fragment of English and 
provided it with a model-theoretic interpretation through a systematically trans- 
lation into logic (see [24]). It became, for the hrst time in history, possible to 
calculate which meaning is associated with a given sentence, and to make pre- 
dictions concerning meanings of sentences. 

His method was presented in [23], and it is the same algebraic method fol- 
lowed in the other sections of this paper. The syntax of the natural language is 
a many sorted algebra, and meaning assignment is a homomorphic translation 
into a logical language. The domain of this homomorphism is not the syntactic 
algebra itself, but the corresponding term algebra (the algebra of derivations).. 
Different readings correspond with different ways of production, so with different 
terms. 

The method of Montague grammar is illustrated by the simplihed treatment 
of sentence (1). 

(1) John and Mary walk 

The syntactic algebra has three generators: John and Mary of sort PN (Proper 
Name), and walk of sort V (verb). Other sorts are NP (Noun Phrase) and S 
(Sentence). The operators are (for Ri and R 2 , see sect.n 6): 

1. i?i: NP X V ^ S, where Ri{a,f3) = a f3 

2. i?3: PN X PN — > NP , where R^{a,(3) = a and (3 

So the production of (1) is described by the term: 

(2) Ri{R^{John, Mary), walk) 

In Montague’s original paper, sentences are translated into intensional logic. 
That is a higher order modal logic with lambda abstraction. For simplicity, we 
translate here into extensional predicate logic, enriched with lambda abstrac- 
tion. The logic has one predicate: WALK , and two constants: j and m. The 
proper names translate into the corresponding constants, and the verb in the 
corresponding predicate. So the translation Tr of the generators is: 

Tr{John) = j, Tr{Mary) = m, and Tr{walk) = WALK 

The operators corresponding with R\ and R 3 are respectively: 

1. Ti'. Bool^''^'^ X Pred — > Bool, where Ti(7, 6 ) = y(^) 

2. T3: Indiv X Indiv Bool^^^‘^, where T^{a,(3) = AP[P(o;) A P(/3)] 

So the translation of John and Mary is: 

(3) AP[P(j)AP(m)] 

And of the sentence John and Mary walk. 

(4) AP[P(j) AP(to)](IE4LA) 

This can be reduced (by lambda conversion) to: 
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(5) WALK (j) A WALK (m) 

A significant point in the above example is the translation of PN -conjunction 
(i? 3 ): it is an operator (T 3 ) that is defined by means of a polynomial expression. 
In larger fragments that situation would arise frequently: logic has few opera- 
tors and constants, whereas natural language needs a lot. So the algebra NL for 
natural language is not similar with the algebra L for logic. New operators and 
constants are defined by means of polynomial expressions, and thus within L a 
reconstruction L' is made of So T^vl is translated onto a polynomially de- 
rived algebra L' . Then the interpretation of L determines a unique interpretation 
of L' . This expressed in: 

Theorem 1. Montague[23, p. 225] Let L be an algebra (for logic), I a homo- 
morphism from L to some algebra M., and let L' be an algebra obtained from L 
by replacing its operations by polynomially defined operations. Then there is a 
unique algebra M' such that there is a homomorphism X' from L' to M' , where 
X'{a) =X{a) whenever X' {a) is defined. 

This theorem is the background of the following definition of a Montague 
grammar. The algebraic structure of a Montague grammar is presented in dia- 
gram (7). 

Definition 3. A Montague grammar consists of a syntactic algebra NL, a log- 
ical algebra L, a polynomial derivor 6 and a homomorphism from Tjvl to 5{L). 



Tnl — 
IntNL 
fi(M) ^ 



Tr 



id 



6{L) ^ ■ 

Ints(L) 
fi{M) 



Inti 



M 



NL algebra for Natural Language 
Tml terms over the algebra NL 
Tr translation homomorphism 
L algebra of logic 

5 derivor which restructures L 

6(L) derived logical algebra 



Intx interpretation of X 

fi model-theoretic counterpart of S 

A4 model for L 

l-i{A4) induced model for S{L) 

id identity mapping 



Diagram 7. The algebraic structure of Montague grammar (see [23] sect. 5, and [13]) 



7.2 Correctness 

Of course, the meaning assignment is not an arbitrarily chosen one: it has to 
yield the ‘correct’ meaning. One might expect that this means that a meaning 
assignment has to capture our intuitions concerning meanings of phrases. Indeed, 
this was the case for the meaning assigned to John and Mary walk. For certain 
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types of expressions, and for simple sentences, one might base formal meanings 
directly on intuitions, but in many cases it becomes problematic. The intuition 
may point in the wrong direction, or there might be no intuition at all, especially 
for subexpressions of sentences. For instance, the meaning of only cannot be 
something like ‘there is precisely one’, because it does not only occur in phrases 
like only John but also in only John and Mary and only man. 

The solution is to require meanings to formalize intuitions about entailment 
relations between sentences. A classical case from Montague best known article 
[24] is: sentence (6) entails (8), whereas (7) does not entail (8). 

(6) John finds a unicorn 

(7) John seeks a unicorn 

(8) There exists a unicorn 

A newer, intricate example is from Groenendijk en Stokhof [11]: from sentences 

(9) and (10) it follows that (11). 

(9) John knows whether Mary comes. 

(10) Mary does not come. 

(11) John knows that Mary does not come. 

This example illustrates again that intuitions concerning meanings of natural 
language expressions are not always available: what would be the intuition about 
whether Mary comes, or about that Mary comes? Based upon intuitions concern- 
ing meaning entailments, model-theoretic interpretations have to be defined that 
can account for them. 

Montague grammar traditionally is a form of possible world semantics. Sen- 
tences are interpreted as sets of possible worlds (with the moments of time as 
parameter), and entailment between two sentences corresponds with set inclu- 
sion (for the same parameter value). For instance, for every moment of time, 
the set of worlds in which (6) is true, forms a subset of the set for which (8) 
is true. This is not the case for (7) and (8). The examples with know require a 
formalization of the entailment relation that is more complex. 

The principle behind this heuristics is expressed in a famous quotation by 
Lewis [18]: 

In order to say what a meaning is, we may first ask what a meaning 
does, and then find something that does that. 

The entailment perspective on correctness is known in Montague grammar, 
but its formalization, as the commutative diagram (8) is new. 

8 From programming language to logic 

Translations from programming language to logic could be used to assign mean- 
ings to the programs, but usually the intention is to prove something about 
a program, for instance its correctness or termination behavior. A well known 
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rri n 

1 NL 

£ni 

{ent, nent} 



Tr 



Incl 



Inti 



W" 



Tnl" n-tuples of terms for natural lan- 
guage 

Tr translation homomorphism 

L" n-tuples of formulas from logic 

Ent intuitions concerning entailment 
{ent) and non-entailment {nent) 



Inti interpretation of L 

n-tuples of meanings: functions 
from time points to sets of pos- 
sible worlds 

Incl model-theoretic formalization of 
entailment (for n = 2 this is C) 



Diagram 8. Tr gives a correct translation of natural language sentences into logic if 
the diagram commutes. 



method to make such a link between programs and logic is the Floyd-Hoare 
approach. Since the Floyd-Hoare approach inductively follows the structure of 
the text, one might be tempted to consider it as describing a compositional 
translation into logic. As will be explained , this is not the case. 

Consider, as an example, Hoare’s assignment rule. 

(1) [tlx]P{x: = t\P 

Here P is some statement about the values of identifiers. By [t/x]P is under- 
stood the statement obtained from P by substituting t for all occurrences of x. 
The rule says the following. Suppose P has to hold after the assignment, then 
the statement has to hold before the assignment. An example. Suppose 
t = y + 1, and x > 9 has to hold after the assignment, then y + 1 > 9 should 
hold before the assignment, i.e. y > 8. 

The first point is that the displayed expression is not a formula from logic, 
but a proof rule. So it is something of a different nature. If the logic is extended 
with A operators, we might use 

(2) XP[[t/x]P] 

as denoting a predicate transformer representing the meaning of the assignment. 
However then a second problem arises. The substitution operator does not belong 
to the logic itself, but to the meta language used to talk about formulas and 
manipulations on them. In order to let (2) denote a meaning, the substitution 
has to be given a semantic interpretation. It changes the state with respect to 
which the subformula in its scope is interpreted, viz. the state which differs from 
the current one in that the value assigned to x equals t. Such an interpretation 
is given by Janssen and van EmdeBoas [17, 16]. 

It is interesting to note that the same point arises in a different context, viz. 
the algebraic verification of compilers. By Miiller-Olm [29, pp. 30-32] a semantic 
interpretation of substitution is given, which is completely comparable. 
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A related problem arises with the rules for procedures with parameters. There 
are several mechanisms for parameter passing; e.g. call by reference, call by value, 
and call by name. The last one is defined by means of syntactic substitution! 
In a compositional approach one would like to obtain the meaning of the entire 
construction (procedure call with given parameter) by combining the meaning 
of the procedure name with the meaning of the parameter. A remark expressing 
this, is from Tennent in a discussion [30] ‘Your first two semantics are not ’deno- 
tational’ . . . because the meaning of the procedure call constructs is not defined 
in terms of the meanings of its components’. Such a compositional analysis is 
given by Hung and Zucker [12]. They present a treatment in which all those 
mechanisms naturally find their place, each parameter mechanism corresponds 
with a different meanings for parameter. 

Only some of the Floyd-Hoare rules can be seen (by suitable extension of the 
logic with A-operators etc.) as describing meanings. Most can by their nature 
be considered only as proof rules. Hence the method of Floyd-Hoare is not a 
translation into logic. 



9 Towards a general theory of translation 

In previous sections it was shown that translations arise between several kinds 
of languages. We have seen that in most fields the algebraic method was put 
forward, often independently of the proposals in other fields. The publications 
in the different fields discuss the same issues and use related notions. So, there 
seems to be a common basis for a general theory of translation. Below a first, 
small step will be made. 

We may start with a principle for translating that can be seen as the philo- 
sophical background for the algebraic approach: 

The principle of compositionality of translation 

The translation of a compound expression is a function of the translations 
of its parts and of the rule by which the parts are combined. 

The first formulation of this principle was in a publication concerning the ma- 
chine translation project Eurotra, but the idea behind the principle can be found 
in older publications. A stronger (symmetric) form of the principle is the lead- 
ing principle of the machine translation project Rosetta [34]. The principle is 
inspired by Frege’s well known principle of compositionality of meaning. The 
formulation given above mirrors the formulation of Frege’s principle in [32, p. 
318]. 

The principle of compositionality of translation can be formalized by requir- 
ing that source and target language are algebras SL and TL respectively, and 
that translating is a homomorphism between the term algebras T$l to Ttl ■ How- 
ever, for a practical reason, the definition below has more components. When 
two languages are given, they usually have their own internal structure and dif- 
fer that much, that they do not have a similar syntax. Therefore the range of 
the translation function has to be an algebra that is constructed by means of 
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polynomial operators available in the target algebra. This leads to the following 
definition. 

Definition 4. Let the source language be defined by the algebra SL , and the 
target language by an algebra TL. Let ^ be a polynomial derivor that transforms 
TL in an algebra similar to SL. Then a compositional translation from source 
language to target language is a homomorphism from the term algebra T$l 
to the term algebra Ts(tl)- The translation is correct if there is a mapping 
Decode: Scttitl SemsL such that the restriction Dec of Decode to Sems(^rL) 
is a homomorphism that makes the leftmost square in diagram (9) commute. 

□ 



Tsl 



Tr 



IntsL 



SemsL 



Dec 



Ts(tl) <— ■ 
Ints{TL) 
Sems(TL) <— ■ 



SyuTL 

IntTL 

SemTL 



Decode 

Diagram 9. A general framework for compositional translation 



Below we consider the components of this diagram and their relation with 
the articles we have discussed before. 

- Tsl 

The source language is an algebra SL. If the expressions of the source lan- 
guage are ambiguous, SL is not suitable as domain of the translation homo- 
morphism. Therefore the term algebra Tsl is used as domain for the transla- 
tion homomorphism. Such ambiguities arise for natural languages (see sect. 
6 and 7). If the (sub)expressions of a fragment are not ambiguous, then the 
term algebra is isomorphic with the original algebra, and the original algebra 
can be used. This situation arises for logic, and for the examples used in ar- 
ticles about compiler construction. Therefore most authors use the original 
algebra as domain of the translation, and not the term algebra. 

^ Ts(tl) and SemsiTL) 

The image of the translation homomorphism has to be an algebra similar 
to the source language algebra (otherwise the translation cannot be a ho- 
momorphism). Therefore a reconstruction of Tsl has to be made. The term 
’embedding’ from logic reflects this aspect, and the term ‘reconstruction’ is 
used frequently in [37] . Related diagrams with derivors can be found in [42] . 
Other authors on algebraic compiler construction do not mention this aspect 
explicitly, although they proceed in the same way. 

- 5 

The new operators needed to form a reconstruction of TL are obtained by 
polynomials. In the held of natural language this idea is introduced by [24]. 
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The role of polynomials is mostly not explicit in the field of compiler con- 
struction, but polynomials are frequently used there. In translations of logics, 
polynomial translations are standard, but also non-polynomial translations 
are used sometimes, see sect. 5. In Rosetta (sect. 6) there is, due to the design 
of the algebras, a direct correspondence of operators; but if one investigates 
the details of the operators, it is possible to view them as polynomials as 
well. 

— Dec and Decode 

If Dec exists, then it is unique, because Tsl is an initial algebra and the 
diagram has to commute. Then the image of x G Sems(TL) can be defined 
as X = IntsL{Tr~^{IntTL~^{x)))] it only has to be checked that X is 
a singleton. However, in general, it is difficult to say what X is, because 
Sems{TL) is not independently given, but defined indirectly (viz. by means 
of the translation and interpretation). Therefore, there is no information 
whether for x G SerriTL also x G Sems(TL)- This explains why usually 
not Dec is defined, but Decode] a function with the original meanings as 
domain; Dec is then its restriction to Semg(^TL)- The ideal that there is an 
isomorphism between source meanings and target meanings (see sect. 2) can 
be reached by switching to a quotient algebra: Sems(^TL)/ Ker(Dec)- Without 
this abstraction Dec will be an isomorphism only the exceptional case where 
the algebras are designed with this purpose (Rosetta, sect. 6). 

Definition (4), the structure in diagram (9) and the comments given above, 
are just the first steps toward a general framework for translating. The following 
points require further research, and probably other issues as well. 

1. Other translations 

Although this study brings together a lot of algebraic translations, there 
certainly are more. The work on ‘institutions’ (connections between specifi- 
cation formalisms) deals with a related subject [9] . A further comparison may 
give rise to other questions and answers concerning algebraic translation. 

2. Algebra 

In all publications concerning programming languages many sorted algebras 
are used. For Rosetta a one sorted algebra is used, and this also is the case 
in Montague grammar (see [13] for a many sorted version). However, for ap- 
plications to natural language order sorted algebras seem most appropriate, 
and maybe this is also the case for programming languages (cf. [10]). 

3. Homomorphism 

Most publications follow the standard definition of a homomorphism for 
many sorted algebras. [36] argues for generalized homomorphisms: mappings 
which may change the signature (the sort structure). [34, p. 393] gives an- 
other generalization: homomorphisms which have not only elements in their 
range, but also operators. These homomorphisms may not only map two 
elements to one image, but also two operators. 

4. Tools 

In projects which deal with larger fragments of language, tools are needed in 
order to perform all the tasks in an algebraic way. Some of the publications 
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mentioned in this article describe such projects which have developed tools: 
[34,37,42], and [29]. 

5. Properties 

Some of the papers discussed here, are of a theoretical nature, and prove 
properties about the framework, e.g. [38] and [34, ch. 19]. These results 
might find their place in a coherent framework. 

10 Conclusion 

In this article we have seen many examples of translations, and sketched a com- 
mon, algebraic, framework. Even the notion ‘correct translation’ turned out to 
be closely related in all fields. Inspired by this unity, I conclude with a quotation 
from ‘Universal Grammar’ ([23, p. 313], reprinted in [41, p. 222]), in which I 
made two adaptations (indicated in italics): 

There is in my opinion no important theoretical difference between nat- 
ural languages and the artificial languages of logicians and computer 
scientists-, indeed I consider it possible to comprehend all these kinds of 
languages within a single natural and precise mathematical theory. 
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Abstract 

A compositional method is presented for the verification of multi-agent 
systems. The advantages of the method are the well-structuredness of the 
proofs and the reusability of parts of these proofs in relation to reuse of 
components. The method is illustrated for an example multi-agent system, 
consisting of co-operative information gathering agents. This application 
of the verification method results in a formal analysis of pro-activeness and 
reactiveness of agents. 



1 Introduction 

When designing multi-agent systems, it is often hard to guarantee that the 
specification of a system that has been designed actually fulfils the needs, i.e., 
whether it satisfies the design requirements. Especially for critical applications, for 
example in real-time domains, there is a need to prove that the designed system will 
have certain properties under certain conditions (assumptions). While developing a 
proof of such properties, the assumptions that define the bounds within which the 
system will function properly are generated. For nontrivial examples, verification can 
be a very complex process, both in the conceptual and computational sense. For these 
reasons, it is a recent trend in the literature on verification in general to study the use 
of compositionality and abstraction to structure the process of verification; for 
example, see (Abadi and Famport, 1993; Hooman, 1994; Dams, Gerth and Kelb, 
1996). 

The development of structured modelling frameworks and principled design methods 
tuned to the specific area of multi-agent systems is currently underway; e.g., (Brazier, 
Dunin-Keplicz, Jennings and Treur, 1995; Fisher and Wooldridge, 1997; Kinny, 
Georgeff and Rao, 1996). As part of any mature multi-agent system design method, a 
verification approach is required. For example, in (Fisher and Wooldridge, 1997) 
verification is addressed within a temporal belief logic. This verification method does 
not exploit compositionality within the agents. In the current paper, in Section 3, a 
compositional verification method for multi-agent systems is introduced. Roughly 
spoken, the requirements of the whole system are formally verified by deriving them 
from assumptions that themselves are properties of agents, which in their turn may be 
derived from assumptions on sub-components of agents, and so on. 
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The compositional verification method introduced here is illustrated for an example 
multi-agent system, consisting of two cooperative information gathering agents and 
the world. For this example multi-agent system, requirements are formulated (both the 
required static anddynamic properties), including variants ofpro-activeness and 
reactiveness. These requirements are formalised in terms of temporal semantics. It is 
shown how they can be derived from properties of agents and how these agent 
properties in turn can be derived from properties of the agent components. A 
compositional system specification is introduced in Section 4. The system 
specification defines how the system is composed of the two agents and the world and 
how each agent is composed of four agent components: for own process control, 
world interaction management, agent interaction management, and an agent specific 
task (which in this case is classification of objects in the world). The compositional 
specification itself is expressed in the modelling framework DESIRE, shortly 
introduced in Section 2. The application of the compositional verification method to 
the example multi-agent system is presented in Section 5 for the top level of the 
composition. More details on the lower levels can be found in Sections 6 and 7. 

2 Compositional Modelling of Multi-Agent Systems 

The example task model described in this paper is specified within the compositional 
modelling framework DESIRE for multi-agent systems (framework for DEsign and 
Specification of Interacting REasoning components; cf. (Lange velde, Philipsen and 
Treur, 1992; Brazier, Dunin-Keplicz, Jennings, Treur, 1995)). In DESIRE, a design 
consist of knowledge of the following three types: 

• process composition, 

• knowledge composition, 

• the relation between process composition and knowledge composition. 

These three types of knowledge are discussed in more detail below. 

2.1 Process Composition 

Process composition identifies the relevant processes at different levels of (process) 
abstraction, and describes how a process can be defined in terms of lower level 
processes. 

2.1.1 Processes at Different Levels of Abstraction 

Processes can be described at different levels of abstraction; for example, the process 
of the multi-agent system as a whole, processes defined by individual agents and the 
external world, and processes defined by task-related components of individual agents. 

Specification of a Process 

The identified processes are modelled as components. Eor each process the types of 
information required as input and resulting as output are identified as well. This is 
modelled as input and output interfaces of the components. 

Specification of Process Abstraction Levels 

The identified levels of process abstraction are modelled as abstraction/specialisation 
relations between components at adjacent levels of abstraction: components may be 
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composed of other components or they may be primitive. Primitive components may 
be either reasoning components (for example based on a knowledge base), or, 
alternatively, components capable of performing tasks such as calculation, 
information retrieval, optimisation, et cetera. 

The identification of processes at different abstraction levels results in specification of 
components that can be used as building blocks, and of a specification of the sub- 
component relation, defining which components are a sub-component of a which 
other component. The distinction of different process abstraction levels results in 
process hiding. 

2.1.2 Composition of Processes 

The way in which processes at one level of abstraction are composed of processes at 
the adjacent lower abstraction level is called composition. This composition of 
processes is described by the possibilities for information exchange between processes 
(static view on the composition), and task control knowledge used to control 
processes and information exchange (dynamic view on the composition). 

Information Exchange 

Knowledge of information exchange defines which types of information can be 
transferred between components and the information links by which this can be 
achieved. Two types of information links are distinguished: private information links 
and mediating information links. For a given parent component, a private information 
link relates output of one of its components to input of another, by specifying which 
truth value of a specific output atom is linked with which truth value of a specific 
input atom. Atoms can be renamed: each component can be specified in its own 
language, independent of other components. In a similar manner mediating 
information links transfer information from the input interface of the parent 
component to the input interface of one of its components, or from the output 
interface of one of its components to the output interface of the parent component 
itself. Mediating links specify the relation between the information at two adjacent 
abstraction levels in the process composition. 

Task Control Knowledge 

Components may be activated sequentially or they may be continually capable of 
processing new input as soon as it arrives (awake). The same holds for information 
links: information links may be explicitly activated or they may be awake. Task 
control knowledge specifies under which conditions which components and 
information links are active (or made awake). Evaluation criteria, expressed in terms 
of the evaluation of the results (success or failure), provide a means to guide further 
processing. 

2.2 Knowledge Composition 

Knowledge composition identifies the knowledge structures at different levels of 
(knowledge) abstraction, and describes how a knowledge structure can be defined in 
terms of lower level knowledge structures. The knowledge abstraction levels may 
correspond to the process abstraction levels, but this is often not the case. 
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2.2.1 Knowledge Structures at Different Abstraction Levels 

The two main structures used as building blocks to model knowledge are: information 
types and knowledge bases. Knowledge structures can be identified and described at 
different levels of abstraction. The resulting levels of knowledge abstraction can be 
distinguished for both information types and knowledge bases. 

Information Types 

An information type defines an ontology (lexicon, vocabulary) to describe objects or 
terms, their sorts, and the relations or functions that can be defined on these objects. 
Information types can logically be represented as signatures in order-sorted predicate 
logic. 

Knowledge Bases 

A knowledge base defines a part of the knowledge that is used in one or more of the 
processes. Knowledge is represented logically by rules in order-sorted predicate logic. 

Knowledge bases use ontologies defined in information types. Which information 
types are used in a knowledge base defines a relation between information types and 
knowledge bases. 

2.2.2 Composition of Knowledge Structures 

Information types can be composed of more specific information types, following the 
principle of compositionality discussed above. Similarly, knowledge bases can be 
composed of more specific knowledge bases. The compositional structure is based on 
the different levels of knowledge abstraction that are distinguished, and results in 
information and knowledge hiding. 

2.3 Relation Between Process and Knowledge Composition 

Each process in a process composition uses knowledge structures. Which knowledge 
structures are used for which processes is defined by the relation between process 
composition and knowledge composition. 

The semantics of the modelling language are based on temporal logic (cf, Brazier, 
Treur, Wijngaards and Willems, 1996). Design is supported by graphical tools within 
the DESIRE software environment. Translation into an operational system is 
straightforward; the software environment includes implementation generators with 
which specifications can be translated into executable code. DESIRE has been 
successfully applied to design both single agent and multi-agent systems. 

3 Compositional Verification 

The purpose of verification is to prove that, under a certain set of assumptions, a 
system will adhere to a certain set of properties, for example the design requirements. 
In our approach, this is done by a mathematical proof (i.e., a proof in the form 
mathematicians are accustomed to do) that the specification of the system together 
with the assumptions implies the properties that it needs to fulfil. In this sense 
verification leads to a formal analysis of relations between properties and 
assumptions. 
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3.1 The Compositional Verification Method 

A compositional multi-agent system can be viewed at different levels of abstraction. 
Viewed from the top level, denoted by Lq, the complete system is one component S, 
with interfaces, whereas internal information and processes are hidden (information and 
process hiding). At the next lower level of abstraction, the system component S can 
be viewed as a composition of agents and the world, information links between them, 
and task control. Each agent A is composed of its sub-components, and so on. The 
compositional verification method takes this compositional structure into account. 

For composed components two types of properties are recognised: behavioural and 
environmental properties. A behavioural property is a property on the output of the 
component. Behavioural properties can be conditional, or unconditional. A 
behavioural property is conditional if the statements about the output of the 
component hold under the assumption that some specific conditions hold for its input. 
For example, a conditional behavioural property of a diagnostic agent could be 
conditional conclusion correctness of an agent (i.e., if the observation information 
needed for diagnosis, which is input of the agent, is correct, then all diagnostic output 
of the agent is correct), whereas the corresponding unconditional property would be 
conclusion correctness of an agent (i.e., all diagnostic output of the agent is correct). 
An environmental property is a property on the input of the component (possibly 
referring to certain conditions on the output). 

The primitive components can be verified using more traditional verification methods 
such as described in (Treur and Willems, 1994; Leemans, Treur and Willems, 1995). 
Verification of a composed component is done using properties of the sub- 
components it embeds and the task control knowledge, and environmental properties 
of the component (depending on the rest of the system, including the world). This 
introduces a form of compositionality in the verification process: given a set of 
environmental properties the proof that a certain component adheres to a set of 
behavioural properties depends on the (assumed) properties of its sub-components, 
properties of the interactions between those sub-components, and the manner in which 
they are controlled. The assumptions under which the component functions properly, 
are the properties to be proven for its sub-components. This implies that properties at 
different levels of abstraction are involved in the verification process. 

Often these properties are not given at the start of the verification process. Actually, 
the process of verification has two main aims: 

• to find the properties 

• given the properties, to prove the properties 

The verification proofs that connect one abstraction level with the other are 
compositional in the following manner: any proof relating level i to level i-i-1 can be 
combined with any proof relating level i-1 to level i, as long as the same properties at 
level i are involved. This means, for example, that the whole compositional structure 
beneath level i can be replaced by a completely different design as long as the same 
properties at level i are achieved. After such a modification the proof from level i to 
level i-tl can be reused; only the proof from level i-1 to level i has to be adapted. In 
this sense the verification method supports reuse of verification proofs. 
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The compositional verification method can be formulated in more detail as follows: 

A. Verifying one Abstraction Level Against the Other 

For each abstraction level the following procedure for verification is followed: 

1 . Determine which properties are of interest (for the higher level). 

2 . Determine which assumptions (at the lower level) are needed to guarantee these 
properties, and which environment properties. 

3. Prove the properties on the basis of these assumptions, and the environment 
properties. 

B. Verifying a Primitive Component 

For primitive knowledge-based components a number of techniques exist in literature, 
see for example (Treur, Willems 1994; Leemans, Treur, Willems 1995). For 
primitive non-knowledge-based components, such as databases, or neural networks, or 
optimisation algorithms, verification techniques can be used that are especially tuned 
for that type of component. 

C. The Overall Verification Process 

To verify the complete system 

1 . Determine the properties that are desired for the whole system. 

2. Apply the above procedure A iteratively until primitive components are reached. 
In the iteration the desired properties of abstraction level Lj are either: 

• those determined in step Al, if i = 0, or 

• the assumptions made for the higher level Lj.-| , if i > 0 

3. Verify the primitive components according to B. 

The results of verification are: 

• Properties and assumptions at the different abstraction levels. 

• The logical relations between the properties of different abstraction levels. 

Notes: 

• both static and dynamic properties and connections between them are covered. 

• reuse of verification results is supported (refining an existed verified 
compositional model by further decomposition, leads to a verification of the 
refined system in which the verification structure of the original system can 
be reused). 

• process and information hiding limits the complexity of the verification per 
abstraction level. 

• a requirement to apply the compositional verification method described above 
is the availability of an explicit specification of how the system description 
at an abstraction level Lj is composed from the descriptions at the lower 
abstraction level Lj+i ; the compositional modelling framework DESIRE is an 
instance of a modelling framework that fulfils this requirement. 

• in principle alternative (e.g., bottom-up or mixed) procedures can be 
formulated as well. 
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3.2 Semantics Behind the Compositional Verification Method 

In principle, verification is always relative to semantics of the system descriptions 
that are verified. For the compositional verification method, these semantics are based 
on compositional information states which evolve over time. In this subsection a 
brief overview of these assumed semantics is given. 

An information state M of a component D is an assignment of truth values {true, false, 
unknown} to the set of ground atoms that play a role within D. The compositional 
structure of D is reflected in the structure of the information state. A formal definition 
can be found in (Brazier, Treur, Wijngaards and Willems, 1996; Brazier, Eck and 
Treur, 1996). The set of all possible information states of D is denoted by IS(D). 

A trace (M, of a component D is a sequence of information states (M*)t g ^ in IS(D). 

The set of all traces is denoted by IS(D)^, or Traces(D). Given a trace of component 
D, the information state of the input interface of component C at time point t of the 
component D is denoted by stateD({)\, t, input(C)), where C is either D or a sub-component 
of D. Analogously, stateo(})H^ , t, output{C)), denotes the information state of the output 
interface of component C at time point t of the component D. Given a trace of 
component □, the task control information state of component C at time point t of the 
component D is denoted by statecCSX.. t, tc(C)), where C is either D or a sub-component 
of D. 

To connect neighbouring levels of abstraction in a verification proof for a DESIRE 
specification, the following elements can be used: 

• the assumptions of the sub-components specified within component D 

• the interactions between the sub-components of D and/or the interfaces of D 

• the input / output information states of the sub-components of D 

• the task control information states of the sub-components of D 

• the information states of component D 

• the task control information states of component D 

4 The Example Multi-Agent Model 

The example multi-agent model is composed of three components: two agents A and B 
and a component w representing the external world, see Eigure 1 . Each of the agents 
is able to acquire partial information about the external world (by observation). Each 
agent’s own observations are insufficient to draw conclusions of a desired type, but 
the combined information of both agents is sufficient. Therefore communication is 
required to be able to draw conclusions. The agents can communicate their own 
observation results and requests for observation information of the other agent. This 
by itself not unrealistic situation is simplified to the following materialised form. The 
world situation consists of an object that has to be classified. One agent can only 
observe the bottom view of the object, the other agent the side view. By exchanging 
and combining observation information they are able to classify the object. 
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Fig. 1. The example Multi-Agent System 



Communication from the agent A to B takes place in the following manner: 

• the agent A generates at its output interface a statement of the form: 

to_be_communicated_to(<fype>, <atom>, <sign>, B) 

• the information is transferred to b; thereby it translated into 

communicated_by(<type>, <atom>, <sign>, A) 

In the example <type> can be filled with a label request or worid_info, <atom> is an atom 
expressing information on the world, and <sign>, is one of pos or neg, to indicate truth 
or falsity. 

Interaction between an agent A and the world takes place as follows: 

• the agent A generates at its output interface a statement of the form: 

to_be_observed(<atom>) 

• the information is transferred to w; thereby it is translated into 

to_be_observed_by(<atom>, A) 

• the world w generates at its output interface a statement of the form: 

observation_result_for(<afom>, <sign>, A) 

• the information is transferred to a; thereby it is translated into 

observation_result(<afom>, <sign>) 

Part of the output of an agent are conclusions about the classification of the object of 
the form objectjype(s); these are transferred to the output of the system. 

To be able to perform its tasks, each agent is composed of four components, see 
Figure 2: three for generic agent tasks (world interaction management, agent interaction 
management, own proces controi), and one for an agent specific task (object classification). 
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Fig. 2. Composition of an agent 



object classification (agent specific task) 

This component is able to draw a conclusion if it has input on the two views on the 
object. The component can reason on the basis of the world knowledge represented in 
the table depicted in Table 1: 




Table 1. World knowledge 
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world interaction management 

This component reasons about the manner in which the agent interacts with the 
world. Here it is decided under which conditions which observations are to be 
performed in the world. 



agent interaction management 

This component reasons about the agent’s communication with other agents. In this 
component it is determined when to request which information from the other agent. 
Another task is to determine when to provide which observation information to the 
other agent and what to do with the world information received from the other agent. 



own process control 

This component defines the agent’s own characteristics or attitudes. Information on 
these attitudes can be transferred to other components, to influence the reasoning that 
takes place there. The agents can differ in their attitudes towards observation and 
communication: an agent may or may not be pro-active, in the sense that it takes the 
initiative with respect to one or more of: 

• performing observations 

• communicate its own observation results to the other agent 

• ask the other agent for its observation results 

• draw conclusions about the classification of the object 

Moreover, it may be reactive to the other agent in the sense that it responds to a 
request for observation information: 

• by communicating its observation result as soon as they are available 

• by starting to observe for the other agent 

These agent attitudes are represented explicitly as (meta-)facts in the agent’s 
component own process control. By varying these attitude facts, different variants of 
agents can be defined. The impact of these explicitly specified characteristics has been 
specified in the model. For example, if an agent has the attitude that it will always 
take the initiative to communicate its observation results as soon as they are acquired, 
then the agent’s behaviour should show this, but if the characteristic is not there, then 
this behaviour should not be present. This requires an adequate interplay between the 
component own process control and the component agent interaction management within the 
agent, and adequate knowledge within agent interaction management. 

The successfulness of the system depends on the attitudes of the agents. For example, 
if both agents are pro-active and reactive in all respects, then they can easily come to a 
conclusion. However, it is also possible that one of the agents is only reactive, and 
still the other agent comes to a conclusion. Or, an agent that is only pro-active in 
reasoning and reactive in information acquisition may come to a conclusion due to 
pro-activeness of the other agent. So, successfulness can be achieved in many ways 
and depends on subtle interactions between pro-activeness and reactiveness attitudes of 
both agents. The formal analysis of the example in the following sections provides a 
detailed picture of these possibilities. 




360 C.M. Jonker and J. Treur 

5 Formal Analysis of the Example System: Top Level 

In this section the properties of the system as a whole (defined in Section 5.1) are 
related to properties of the agents and the world (defined in Section 5.2 and 5.3), and 
their interaction. 

5.1 Properties for the Top Level of the System 

First, it is determined which properties the system as a whole should satisfy. 
Considering that the system S is a classification system, it is expected that S produces 
output of the form object_type(s) for some s. A first requirement is that output generated 
by the system is correct, i.e., if the system derives objectjype(s) for some s, it is true 
in the world situation. Let the world state (which is assumed static) be denoted by M. 
In Figure 4 the successfulness property of S is related to other properties of S and 
assumed properties of the next level. In Figure 3 the correctness property of S is 
similarly related to other properties. The following property relates the output of the 
system to the current world state. 

Correctness of s 

The system S is called correct if: 

Traces(S) Vt Vs 

[ states(l)H,. t output(S)) N object_type(s) ^ M N object_type(s) ] 

[ state 5 ((M^, t, output(S)) N object_type(s) ^ M N object_type(s) ] 

Output information of s is only provided by agents 

As can be seen in Figure 1 the only information links connected to the output of S are 
the information link from agent A to S and the information link from agent B to S. 
Furthermore, the output interface of S cannot spontaneously change its contents. 
Therefore, the output information of the system is only provided by agents. 



correctness of S 




conclusion output 

correctness of information of 

all agents S is only 

provided by 
the agents 

Fig. 3. Correctness of S 

Next, the system is required to be successful in generating conclusions: during the 
process, for each s, at some time point it should either have derived positive output, 
or negative output: 

Successfulness of s 

The system S is called successful if: 

T races(S) Vs 3 1 state 5 (l)H„ t, output(S)) N object_type(s)) 

3 1 states(l)H,. t output(S)) N object_type(s)) 
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To guarantee the adequate information exchange between the different components, the 
following properties are needed: 

Interaction effectiveness 

The interaction from agent x to the output interface of system S is called effective if, 
for either object_type{s) or 0 bject_type{s): 

Traces(S) Vt Vs [state 5 (i^, t, output(X)) N 

3t >t stateslCH,, t , output(S)) N ] 

The interaction from the external world w to agent x is called effective if: 

Traces(S) Vt Vr.sign 

[ states(9K., t, output(W)) N observation_result_for(view(X,r), sign, X) 

=>3t>t states(£M,, t , input(X)) N observation_result(view(X,r),sign)] 

The interaction from the agent x to the external world w is called effective if: 

Vt^Mg Traces(S) Vt Vr.sign 

[ states(9K.. f output(X)) N to_be_observed (view(X,r)) 

3t >t stateslS^, t , input(W)) N to_be_observed_by (view(X,r), X)] 

Interaction effectiveness can be proven from the detailed specification of the 
information links involved and the timely functioning of those information links as 
specified in the task control of the component containing the information link given 
in the detailed specification. This property is needed to prove several environment 
properties of the agents and also to prove successfulness of S. Sometimes it will not 
be stated explicitly. 

Agent provides output information of s 

An agent x provides output information of system S if x is conclusion successful and 
the interaction from x to S is effective. 



3 is successful 




A provides output information of S 




conclusion 
successfulness, A 



effective interaction 
from A to S 



B provides output information of S 




conclusion 
successfulness, B 



effective interaction 
from B to S 



Fig. 4. Successfulness of S 



It is undesirable (for a static world situation) that the system changes its mind during 
the process. Therefore the requirement is chosen that once a conclusion has been 
derived, this is never revised: 
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Conservativity of s 

The system S is called conservative if: 

Traces(S) Vt Vs 

[ state 3 (tA^, t, output(S)) N object_type(s) 

Vt >t states(£M., t , output(S)) N object_type(s) ] 

[ state 5 (i^, t, output(S)) N object_type(s) 

Vt >t statesiS^, t , output(S)) N object_type{s) ] ) 

The property of conservativity of S can be proven in a similar way as the other 
properties of S. The proof has been omitted from this paper. 

Communication effectiveness 

The communication from agent x to agent Y is called effective if: 

Vi^Mg Traces(S) Vt VsignV 

[states(i.AC. f output(X)) N to_be_communicated_to(q, , sign, Y) 

3t >t statesCS^, t , input(Y)) N communicated_from{q, , sign, X) ] 

Communication effectiveness can be proven in the same way as interaction 
effectiveness. This property is needed to prove environment properties of the agents. 

5.2 Properties of the Agents 

The required properties of the system have been proven from assumed properties of the 
components at one level lower. During this proof process these assumptions have 
been discovered. A number of assumptions are quite straightforward. For example, 
correctness inherits upward from the agents to the system: 

Conclusion correctness of an agent 

An agent x is called conclusion correct if: 

Vi>(g Traces(X) Vt Vs 

[ statex(£M., t, output(X)) N object_type(s) M N object_type{s) ] 

[ statex(£M., t, output(X)) N object_type(s) M N object_type(s) ] 

This property logically depends on other properties of the agent, input correctness and 
conditional conclusion correctness, as can be seen for agent A in Figure 5. 

Input correctness of an agent 

a) An agent x is called observation input correct if 

Vi>(g Traces(X) Vt Vr 

[statexCS^, t, input(X)) N observation_result(view(X,r),pos) Mb view(X,r) ] 

V;^ Traces(X) Vt Vr 

[statexCS^, t, input(X)) N observation_result(view{X,r),neg) N view{X,r) ] 

b) An agent x is called communication input correct if 

Vl>(g Traces(X) Vt Vr 

[statexCS^, t, input(X)) N communicated_from(world_info,view(Y,r), pos,Y) M N view(Y,r) ] 
V9Kp Traces(X) Vt Vr 

[statexCS^, t, input(X)) N communicated_from(world_info,view(Y,r), neg,Y) M N view{Y,r) ] 
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c) An agent x is called input correct if x is observation input correct and 
communication input correct. 

Conditional conclusion correctness of an agent 

An agent x is called conditionally conclusion correct if the following holds: if input 
correctness of x then conclusion correctness of x. 



conclusion correctness, A 




input correctness, A 




conditional conclusion 
correctness, A 



observation 

input 

correctness, A 



communication 

input 

correctness, A 



Fig. 5. Conclusion correctness of A 
The following property is needed to prove conservativity of S. 

Conclusion conservativity of an agent 

The agent x is called conclusion conservative if: 

Traces(X) Vt Vs 

[ statexCS^, t, output(X)) N object_type{s) 

Vt >t statex(£M., t , output(X)) N object_type(s) ] 

[ statex(£M., t, output(X)) N object_type(s) 

Vt >t statex(S^, t , output(X)) N object_type{s) ] ) 

Again, the proof has been omitted from this paper. Successfulness of the system (see 
Figure 4) depends on successfulness of at least one of the agents. 

Conclusion successfulness of an agent 

The agent x is called conclusion successful if: 

V(^Mg T races(X) 3 1 statexC^H., t, output(X)) N object_type(s)) 

3 1 statex((M., t, output(X)) N object_type(s)) 

This property can be proven in a number of ways. However, in all proofs the 
properties information saturation of the agent and conclusion pro-activeness is 
required, see Figure 6 for the logical relations between properties of agent A that are 
needed to prove conclusion successfulness of agent A. 
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Information saturation of an agent 

a) The agent x is called observation info saturating if: 

Traces(X) 3 1 Vr 3sign 

statex(£M., t, input(X)) N observation_result(view{X,r), sign) 

b) The agent x is called communicated info saturating if: 

VfMg Traces(X) 3 1 Vr 3sign 

statex(£M., t, input(X)) N communicated_from(world_info, view(Y,r), sign, Y) 

c) The agent x is called request saturating if for all agents Y different from x: 

T races(X) 3 1 Vr 

statex(i^, t, input(X)) N communicated_from(request, view(X,r), pos, Y) 

d) The agent x is called information saturating if x is observation info saturating and 
communicated info saturating. 

Conclusion pro-activeness 

The agent x is called conclusion pro-active if for all agents Y different from x: 

Traces(X) Vt,t 
[Vr,r 3 sign, sign 

statex(i^, t, input(X)) N observation_resuit(view(X,r), sign) A 

statex(£A^, t , input(X)) N communicated_from{worid_info, view(Y,r ), sign , Y) ] ] 

3 t >t, t >t Vs [ statex(S^, t , output(X)) N object_type(s) 

statex(9K.. t. output(X)) N object_type(s)] 



conclusion successfulness. A 




pro-active observation spontaneous observation reactive observation 

info saturation, A info saturation, A info saturation, A 




weakly observation 

reactive reactiveness, A 

information 
provision, A 

Fig. 6. Conclusion successfulness of A 

All properties occurring in Figure 6 are also properties of agent A. The leaves in the 
tree are either environmental properties of A or behavioural properties of A. To prove 
environmental properties of a component behavioural properties of other components 
of the same level (in this case other agents and/or the world) are needed as are 
properties about interactions between these components (in this case interactions 
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between agents and between the world and agents). For example, the property 
communicated information saturation of agent A (see Figure 6) can be proved from 
interaction effectiveness from agent B to agent A and the property successful 
information provision of agent B, see Figure 7. 

Information provision successfulness 

a) The agent x is called successful information providing if: 

T races(X) Vr, 3 sign 3 1 

statex(S)H.. t. output(X)) N to_be_communicated_to(world_info, view(X,r), sign, Y) 

b) The agent x is called successful information providing pro-active if 

X is observation effective and strongly information providing pro-active. 

c) The agent x is called successful information providing reactive if 

X is request saturating and reactive observation effective. 



communicated info saturation, A 




communication effectiveness from B to A successful information provision, B 



Fig. 7. Communicated info saturation of A 

Similarly, the properties observation input correctness and communication input 
correctness of an agent depend on correct information coming from the other agent or 
from the world (see Section 5.3 for definitions of properties concerning the world), see 
Figure 8. 



observation input correctness, A 




correctness of W input observation interaction 

information of A is only effectiveness, 

provided by W from W lo A 



communication input correctness, A 




information provision input communication communication 

correctness, B information of A is only effectiveness, 

provided by B from B lo A 



Fig. 8. Information correctness of A 

The property spontaneous observation info saturation of an agent as used 
in Figure 6 is defined by the property pro-activeness of the world (see Section 5.3) and 
interaction effectiveness from the world to that agent, see Figure 9. 



spontaneous observation info saturation, A 




pro-activeness, W effective interaction from W to A 



Fig. 9. Spontaneous observation info saturation of A 
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The property successful information provision of agent B, used in Figure 7, can be 
proven in several ways. The first division made in Figure 10 is between pro-active and 
reactive information provision. Also the notions strong and weak are used. 

Information provision correctness 

The agent x is called information providing correct if: 

Vi>(gTraces(X) Vr Vt 

[ statexCS^, t, output(X)) N to_be_communicated_to{world_info, view(X,r), pos, Y) 

M N view(X,r) ] 

A Traces(X) Vr Vt 

[ statex(£M., t, output(X)) N to_be_communicated_to{world_info, view(X,r), neg, Y) 

M N view(X.r) ] 

Information providing pro-activeness 

a) The agent x is called weakly information providing pro-active if: 

Traces(X) Vt, r, sign 

[ statex(i.H., t, input(X)) N observation_result{view(X,r), sign) 

statexliH., t , output(X)) N to_be_communicated_to(worid_info, view{X,r), sign, Y) ] 

b) The agent x is called strongly information providing pro-active if 

X is weakly information providing pro-active and observation pro-active. 

Information providing reactiveness 

a) The agent x is called weakly information providing reactive if: 

Traces(X) Vt, t , r, sign 

[statex(9K.. f input(X)) N observation_resuit(view(X,r), sign) A 
statex(lM., t , input(X)) N communicated_trom(request,view(X,r), pos,Y) ] 

3t >t, t >t statexd^, t , output(X)) N 

to_be_communicated_to(world_info, view{X,r), sign, Y) 

b) The agent x is called strongly information providing reactive if 

X is weakly information providing reactive and observation reactive. 

c) The agent x is called reactive observation info saturating if 

X is request saturating and strongly information providing reactive. 

The tree in Figure 10 consists of logical relations between properties of the agent B. 
Some of them have been defined above, the others are defined as follows. 

Information acquisition pro-activeness of an agent 

a) The agent x is called observation pro-active if: 

T races(X) Vr 3 1 statex(lM., t, output(X)) N to_be_observed (view(X,r)) ] 

b) The agent x is called request pro-active if for all agents Y different from x: 

Vl^Mg T races(X) Vr 3 1 statex(£H., t, output(X)) h 

to_be_communicated_to(request, view(Y,r), pos, Y)] 

c) The agent x is called information acquisition pro-active if x is observation pro- 
active and request pro-active. 

Observation reactiveness of an agent 

The agent x is called observation reactive if: 

Vl^Mg Traces(X)Vt Vr [statex(^H., t, input(X)) N communicated_from(request, view{X,r), pos, Y) 

3t statexliH., t, output(X)) N to_be_observed (view{X,r)) ] 
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successful information provision, B 
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effectiveness, B 
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effectiveness, B 
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information reactiveness, B 

provision, B 



Fig. 10. Successful information provision of B 
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Information acquisition effectiveness of an agent 

a) The agent x is called observation effective if: 

Traces(X) Vt Vr [statex(lM., t, output(X)) N to_be_observed {view{X,r)) 

3t >t3sign statexllM., t, input(X)) N observation_result{view(X,r), sign) ] 

b) The agent x is called request effective if: 

Traces(X) Vt Vr 

[statex(£M., t, output(X)) N to_be_communicated_to(request,view(Y,r),pos,Y) 

3t >t, sign statex(£A^, t, input(X)) N communicated_from(world_info, view(Y,r), sign, Y) ] 

c) The agent x is called information acquisition effective if 

X is observation effective and request effective. 

d) The agent x is called reactive observation effective if: 

V9% Traces(X) Vt Vr 

[statexCS^, t, input(X)) N communicated_trom(request, view(Y,r), pos, Y) 

3t >t, sign statexCiH., t, input(X)) N observation_resuit(view(X,r), sign)] 

e) The agent x is called pro-active observation info saturating if 

X is observation pro-active and observation effective. 

The relations between the environmental properties request saturation of agent A and 
observation effectiveness of agent A, and properties of the world, of agent B, and of 
interactions between agents and world can be found in Figure 1 1 . 



observation effectiveness, A request saturation, A 




interaction effectiveness interaction effectiveness 

from A to W from W to A 



Fig. 11. Observation effectiveness and request saturation of A 
5.3 Properties of the World 

For the component World assumptions on correctness and conservativity are made. 

Correctness of the world 

The world w is called correct if: 

V(>(g Traces(W) Vt Vv, X 

[ state\/\/(9K.. t. output(W)) N observation_result_for(view(X, r), pos, X) M N view(X, r) ] 

A Vf>tg Traces(W) Vt Vv, X 

[ state\/\/(t3^, t, output(W)) N observation_result_for{view(X, r), neg, X) M N ~iview{X, r) ] 

Conservativity of the world 

The world w is called conservative if: 

Vt^Mg Traces(W) Vt Vr, sign, X 

[ state\/v(S^, t, output(W)) N observation_result_for(view(X, r), sign, X) 

Vt >t statey\/(£M., t , output(W)) N observation_result_tor(view(X, r), sign, X) ] 
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Moreover, the world should be effective in providing observation results for 
observations initiated by the agents. 

Observation effectiveness of the world 

The component w is called observation effective if: 

Traces(W) Vt Vr, X 

[ state\/v{i^, t, input(W)) N to_be_observed_by{view{X, r), X) ] 

=> [ 3t >t,sign state\/y{i^, t , output(W)) N observation_result_for(view(X, r), sign, X) ] 



It is also possible that the world provides observation information without an 
initiative from the agent (e.g., by automated sensors). In this case the world shows 
pro-activeness: 

Observation pro-activeness of the world 

The component w is called observation pro-active if: 

VS)Mg Traces(W) Vr, X 3t,sign 

stateyy{tA^, t, output(W)) N observation_result_for(view(X, r), sign, X) 



6 Properties of Agent Components 

The properties of the agents needed to prove the properties of the top level of the 
system were discussed in Section 5.2. The assumed properties of the sub-components 
of an agent, needed to prove the behavioural properties of that agent, and the logical 
structure of those proofs in the form of trees are discussed in this section. Properties 
of the component own process controi play a role in the proof of each behavioural agent 
property. 

6.1 Properties of Own Process Control 

In the component Own Process Control the agent’s attitudes are explicitly represented. 
The attitudes are represented in the following manner: 



attitude 

pro-active observation 

weakly pro-active information provision 

strongly pro-active information provision 

pro-active requesting 

pro-active reasoning 

reactive observation 

weakly reactive information provision 

strongly reactive information provision 



representation within OPC 

observation_attitude(pro-active) 

info_provision_attitude(weakly_pro-active) 

info_provision_attitude(strongly_pro-active) 

requesting_attitude{pro-active) 

reasoning_attitude(weakly_pro-active) 

observation_attitude(reactive) 

info_provision_attitude(weakly_reactive) 

info_provision_attitude(strongly_reactive) 



Attitude determination successfulness of opc 

The component OPC is called attitude determination successful for the attitude pro- 
activeness of observation if: 

Traces(OPC) 3 1 Vt t 

stateopc(S)H.. t . output(OPC)) N observation_attitude(pro-active) 
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In a similar manner attitude determination successfulness for the other attitudes is 
defined. 

In the example the attitudes are assumed to be defined in a static manner, as general 
facts in OPC. However, it is not difficult to define them dynamically, (i.e., that an 
agent may change its attitude on the basis of experiences) by specifying a knowledge 
base that takes into account (dynamic) input for OPC. 

Attitude conservativity of opc 

The component OPC is called attitude conservative for the attitadepro-activeness of 
observation if: 

VbMg Traces(OPC) Vt 

stateopQ(i)H., t, output(OPC)) N observation_attitude(pro-active) 

Vt >t stateopc(S)H.. t . output(OPC)) N observation_attitude(pro-active) 

In a similar manner attitude conservativity for the other attitudes is defined. 

In order to prove observation pro-activeness of agent A not only properties of OPC are 
needed, but also of the component WIM. The logical relations between these properties 
can be found in Figure 12. 



observation pro-activeness, A 




successfui attitude 
determination: 
observation pro-active, 
OPC 



interaction 
effectiveness from 
OPC to WIM 



pro-active observation 
generating 
effectiveness, WIM 



interaction 
effectiveness from 
WIM to A 



Fig. 12. Observation pro-activeness of A 

The properties concerning interaction effectiveness used on this level correspond to the 
same properties on the top level. Explicit definitions have been omitted in this paper. 

6.2 Properties of World Interaction Management 

If the agent is pro-active for observation, see Figure 12, then the agent makes sure 
that every observation is performed at least once. The component world interaction 
management initiates these observations. 

Pro-active observation generation effectiveness of wim 

The component wim of agent x is called pro-actively observation generation effective 
if: 

Traces(WIM) Vt Vr 

[ state\/viiy(tA(^, t, input(WIM)) N observation_attitude(pro-active) 

3t statewiMlCH.. * ■ output(WIM)) N to_be_observed (view(X,r))] 
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Note that no temporal restrictions are put on t : either the observation has been 
generated in the past (in which case no new observation has to be initiated), or it has 
to be done now or in the future. 

In the reactive case, also the presence of a request is of importance: 

Reactive observation generation effectiveness of wim 

The component wim of agent x is called reactively observation generation ejfective 
if: 

VOig Traces(WIM) Vt Vr 

[[ stately I t, input(WIM)) N observation_attitude(reactive) A 

state\/viiy(()H^, t, input(WIM)) N requested(view(X,r)) ] 

state\/viy(S)\^, t , output(WIM)) N to_be_observed (view(X,r))] 



Given this property and the ability of aim to pass on request information to wim it is 
possible to prove observation reativeness of agent A, see Figure 13. 



observation readiveness, A 




indirect interaction interaction observation 

effectiveness from effectiveness from reactiveness, WIM 

A to WIM WIM to A 




interaction request transfer. interaction 

effectiveness from AIM effectiveness from 

A to AIM AIM to WIM 




reactive observation reactive observation 

attitude information generation effectiveness, 

saturation, WIM WIM 




successful attitude interaction effectiveness 

determination: from OPC to WIM 

reactive observation, 

OPC 



Fig. 13. Observation reactiveness of A 



Observation result transfer of wim 

The component wim of agent x is called observation result transferring if: 

Traces(WIM) Vt Vr, sign 

[ state\/\/|y(S)\^, t, Input(WIM)) N observatlon_result (vlew(X,r), sign) 

=>3t t statey\/liy(fA^, t, output(WIM)) N observation_result (vlew(X,r), sign) ] 

This property is used in Figure 14, 15, and 17. 

In order to prove weakly pro-active or weakly reactive information provision of A, the 
properties of the component agent interaction management are of importance. 
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6.3 Properties of Agent Interaction Management 

Pro-active information provision effectiveness of aim 

The component aim of agent x is called weakly pro-actively information provision 
effective if for every agent Y different from x: 

Traces(AIM) Vt Vr, sign 

[ state/\||y|(i^, t, input(AIM)) N info_provision_attitude(weakly_pro-active) A 
state/\liyi(i^, t, input(AIM)) N observation_result (view{X,r), sign) 
state/\liyi(S^, t, output(AIM)) N to_be_communicated_to{world_info, view{X,r), pos, Y)] 

Figure 14 shows how the agent property weakly pro-active information provision 
depends on other properties of aim. The component aim needs observation information, 
therefore, the observation result transfer property of WIM, and effective interaction from 
the input of the agent to wiM, and from wiM to aim should hold. The correct necessary 
attitude information is provided by OPC. 



weakly pro-active inlormation provision, A 
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interaction effectiveness 
from OPC to AIM 



Fig. 14. Weakly pro-active information provision of A 



Reactive information provision effectiveness of aim 

The component aim of agent x is called weakly reactively information provision 
effective if for every agent Y different from x: 

Traces(AIM) vt,t Vr, sign 

[ state/\||y|{t^, t, Input(AIM)) N lnfo_provlslon_attitude(weakly_reactlve) A 

state/\||y|(i^, t, input(AIM)) N observation_result (vlew(X,r), sign) A 
stateAiMllM.. t . input(AIM)) N requested{vlew(X,r)) 
t state/\l^/l(t3^, t , output(AIM)) N 

to_be_communlcated_to(world_info, vlew(X,r), pos, Y)] 

Similarly, the reactive information provision effectiveness property of aim is needed to 
prove the agent property weakly reactive information provision, see Figure 15. 
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Fig. 15. Weakly reactive information provision of A 



Request transfer of aim 

The component aim of agent x is called request transferring if for every agent Y 
different from x: 

Traces(AIM) Vt Vr 

[ state^iy{tA^, t, input(AIM)) N communicated_by (request, view(X,r), pos, Y) 

=>3t t state/\iy(tA^, t, output(AIM)) N requested(view{X,r))] 

This property is used in Figure 13 and in Figure 17. The following property can be 
used to prove request pro-activeness of agent A, see Figure 16. 
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Pro-active request generation effectiveness of aim 

The component aim of agent x is called pro-actively request generation effective if for 
every agent Y different from x: 

Traces(AIM) Vt Vr 

[ stateAiM{i^, t, input(AIM)) N requesting_attitude(pro-active) 

state/^IM(S^, t, output(AIM)) N to_be_communicated_to(request, view(Y,r), pos, Y)] 



request pro-activeness, A 




interaction effectiveness 
from AIM to A 



pro-active request 
generating 
effectiveness, AIM 
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saturation, AIM 



successful attitude interaction effectiveness 

determination: from OPC to AIM 

pro-active request, 

OPC 

Fig. 16. Request pro-activeness of A 
Communicated information transfer of aim 

The component aim of agent x is called communicated information transferring if for 
every agent Y different from x: 

Traces(AIM) Vt Vr, sign [ state/\||\/|(t^, t, input(AIM)) N 
communicated_by (woridjnfo, view(Y,r), sign, Y) 

=>3t t state/\||\/|(tA^, t, output(AIM)) N received_world_info(view(Y,r), sign)] 

6.4 Properties of the Agent Specific Task: oc 

The required properties of the component OC are the following. Conclusiveness 
defines that the component is able to draw decisive conclusions if sufficient input is 
provided. 

Conclusiveness of oc 

The component OC is called conclusive if, under the condition that all required input 
information has been acquired, for every output atom a conclusion is derived. 

Traces(OC) [Vy 3 r,t stateocCS^^C. f input(OC)) N view(Y,r) ] 

=>Vs[3t stateoc(CH.. t . output(OC)) N object_type(s) 

3 1 stateocCS:^^. t . output(OC)) N object_type(s) ] 

To allow that OPC controls the reasoning on the basis of its reasoning attitude, the 
following conditional variant of conclusiveness is needed. This means that only 
conclusions are drawn if oc has been input (transferred from OPC) the right targets. 
Conditional conclusiveness is used to prove conclusion pro-activeness of agent A in 
Figure 17. 
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Conditional conclnsiveness of oc 

The component OC is called conditionally conclusive if, under the condition that all 
required input information has been acquired, for every output atom which is 
associated to its focus (as a target), a conclusion is derived: 

Traces(OC) Vs 

[Vv3r,t stateoc(S)H.. f input(OC)) N view{Y,r) ] A 

[stateocllM.. f input(OC)) N target(OC_focus, object_type(s), determine) 

=> [ 3t stateocli^. t ■ output(OC)) N object_type(s) 

3t stateoc((^. t . output(OC)) N object_type(s)] 

Conclusion correctness means: if a conclusion is derived, then this conclusion 
corresponds to the world situation. 

Conclusion correctness of oc 

The component OC is called conclusion correct if: 

Traces(OC) Vt Vs 

[ stateoc(S)H.. t. output(OC)) N object_type(s) M N object_type{s) ] 

[stateoQ(^)^^, t, output(OC)) N object_type(s) M N object_type(s) ] 

Conservation can be defined by: 

Conclusion conservativity of o c 

The component OC is called conclusion conservative if: 

Vl>^ Traces(X) Vt Vs 

[ stateocliA., f output(OC)) N object_type(s) 

Vt >t statex(bH_. t . output(OC)) N object_type(s) ] 

[ stateoc(l(H.. t. output(OC)) N object_type(s) 

Vt >t stateoc(S)H.. t , output(OC)) N object_type(s) ] 



6.5 Domain Assumptions 

The properties also need assumptions on the domain knowledge to be used in the 
model. 

Static world 

The world state is static during the processing of the system S. 

Empirically foundedness 

The possible conclusions can be uniquely characterised by means of observations; in 
other words: if two world situations satisfy exactly the same observations, then they 
also satisfy exactly the same conclusions (see Treur and Willems, 1994). 

7 Verification of Primitive Components 

In Sections 5 and 6 verification of the multi-agent model was described, based on 
assumed properties of the primitive components. The primitive components can be 
verified making use of the more standard methods introduced in (Treur and Willems, 
1994; Leemans, Treur and Willems, 1993). For example, the component Object 
Classification should satisfy conclusion correctness and conditional conclusiveness. 
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Actually, these two properties reduce to static properties described in (Treur and 
Willems, 1994). In fact all properties required for primitive components reduce to 
static properties that define a constraint on the combined input-output states of the 
component. Such properties can be verified by the (static) methods described in the 
references mentioned. 

8 Conclusions 

The modelling approach DESIRE is based on compositionality of processes and 
knowledge at different levels of abstraction. The compositional verification method 
described in this paper fits well to DESIRE, but can also be useful to any other 
compositional modelling approach. Two main advantages of a compositional 
approach to modelling are the transparent structure of the design and support for reuse 
of components and generic models. The compositional verification method extends 
these main advantages to (1) a well-structured verification process, and (2) the 
reusability of proofs for properties of components that are reused. 

The first advantage entails that both conceptually and computationally the complexity 
of the verification process can be handled by compositionality at different levels of 
abstraction. Apart from the work reported here, a generic model for diagnosis has been 
verified (Comelissen, Jonker and Treur, 1997) and a multi-agent system with agents 
negotiating about load-balancing of electricity use. The second advantage entails: if a 
modified component satisfies the same properties as the previous one, the proof of the 
properties at the higher levels of abstraction can be reused to show that the new 
system has the same properties as the original. This has high value for a library of 
reusable generic models and components. The verification of generic models forces 
one to find the assumptions under which for the considered domain the generic model 
is applicable, as is also discussed in (Eensel, 1995; Eensel and Benjamins, 1996). A 
library of reusable components and task models may consist of both specifications of 
the components and models, and their design rationale. As part of the design rationale, 
at least the properties of the components and their logical relations can be 
documented. 

Also due to the compositional nature of the verification method, a distributed 
approach to verification is facilitated. This implies that several persons can work on 
the verification of the same system at the same time, once the properties to be verified 
have been determined. Since the proof of properties of a composed component depends 
on the properties of its sub-components, it is only necessary to know or to agree on 
the properties of these sub-components. 

The formal analysis of variants of reactiveness and pro-activeness properties deepened 
our insight in these notions and their logical relationships and interactions. 
Semantical formalisation of different variants of reactiveness and pro-activeness have 
been found in the form of conditional temporal statements. The notion of information 
and process hiding, in DESIRE modelled in terms of components at different 
abstraction levels, made it possible to distinguish in a natural manner between 
observable and non-observable variants of pro-activeness and reactiveness: the variants 
of behaviour that can be observed from outside the agent (at its interface), and the 
variants of internal behaviour (in its sub-components and interactions between them) 
that cannot be observed from outside. This formal analysis could be a starting point 
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for a more general mathematical or logical theory on pro-activeness and reactiveness, 
and their interaction. Actually, the logical relations, in this paper depicted in the form 
of AND/OR graphs in the figures, can be viewed as lemmas and theorems in such a 
theory. 

A main difference in comparison to (Fisher and Wooldridge, 1997) is that our 
approach exploits compositionality. An advantage of their approach is that they can 
make use of a temporal belief logic. It would be a challenge to extend the approach as 
referred to a compositional variant of temporal belief logic. A first step in this 
direction can be found in (Engelfriet, Jonker and Treur, 1997). Also a main difference 
of the current paper in comparison to the work in (Fensel, 1995, Fensel and 
Benjamins, 1996; Fensel et al, 1996) is that in our approach compositionality of the 
verification is addressed; in the work as referred only domain assumptions are taken 
into account, and no hierarchical relations between properties are defined. 

A future continuation of this work will consider the development of tools for 
verification. At the moment only tools exist for the verification of primitive 
components; no tools for the verification of composed components exist yet. To 
support the handwork of verification it would be useful to have tools to assist in the 
creation of the proof. This could be done by formalising the proofs of a verification 
process using a first order logic in which time and states are represented explicitly, and 
an interactive theorem prover to support the proofs. Another option that will be 
explored is to extend Fisher and Wooldridge’s approach to the compositional case. Yet 
another option to be explored is whether the tool KIV (based on dynamic logic) can be 
used. Some first, positive experiences with KIV for verification of an example model 
of a knowledge-based system are reported in (Fensel et al, 1996). 
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Abstract. In modular verification the specification of a module con- 
sists of two parts. One part describes the guaranteed behavior of the 
module. The other part describes the assumed behavior of the system 
in which the module is interacting. This is called the assume-guarantee 
paradigm. In this paper we consider assume-guarantee specihcations in 
which the guarantee is specihed by branching temporal formulas. We dis- 
tinguish between two approaches. In the hrst approach, the assumption 
is specihed by branching temporal formulas. In the second approach, the 
assumption is specihed by linear temporal logic. We consider guarantees 
in VCTL and VCTL*, the universal fragments of CTL and CTL*, and 
assumptions in LTL, VCTL, and VCTL*. We describe a reduction of mod- 
ular model checking to standard model checking. Using the reduction, we 
show that modular model checking is PSPACE-complete for VCTL and 
is EXPSPACE-complete for VCTL*. We then show that the case of LTL 
assumption is a special case of the case of VCTL* assumption, but that 
the EXPSPACE-hardness result apply already to assumptions in LTL. 



1 Introduction 

Temporal logics, which are modal logics geared towards the description of the 
temporal ordering of events, have been adopted as a powerful tool for specifying 
and verifying concurrent programs [Pnu77, Pnu81]. One of the most signihcant 
developments in this area is the discovery of algorithmic methods for verifying 
temporal-logic properties of finite-state programs [CES86, LP85, QS81]. This 

* This paper is based on “On the complexity of modular model checking” , by 
M.Y. Vardi, Proc. 10th IEEE Symp. on Logic in Computer Science (LICS’95), June 
1995, pp. 101-111, and “On the complexity of branching modular model checking”, 
by O. Kupferman and M.Y. Vardi, Proc. 6th International Conf. on Concurrency 
Theory (CONCUR’95), August 1995, Springer- Verlag, Lecture Notes in Computer 
Science 962, pp. 408-422. 

** Supported in part by ONR YIP award N00014-95- 1-0520, by NSE CAREER award 
CCR-9501708, by NSE grant CCR-9504469, by AEOSR contract E49620-93- 1-0056, 
by ARO MURl grant DAAH-04-96- 1-0341, by ARPA grant NAG2-892, and by SRC 
contract 95-DC-324.036. 

*** Supported in part by NSE grants CCR-9628400 and CCR-9700061, and by a grant 
from the Intel Corporation. 

W.-P. de Roever, H. Langmaack, and A. Pnueli (Eds.): COMPOS’97, LNCS 1536, pp. 381-401, 1998. 

Springer-Verlag Berlin Heidelberg 1998 




382 O. Kupferman and M.Y. Vardi 

derives its significance both from the fact that many synchronization and com- 
munication protocols can be modeled as hnite-state programs, as well as from 
the great ease of use of fully algorithmic methods. Finite-state programs can be 
modeled by transition systems where each state has a bounded description, and 
hence can be characterized by a hxed number of boolean atomic propositions. 
This means that a hnite-state program can be viewed as a hnite propositional 
Kripke structure and its properties can be specihed using propositional temporal 
logic. Thus, to verify the correctness of the program with respect to a desired 
behavior, one only has to check that the program, modeled as a hnite Kripke 
structure, satishes (is a model of) the propositional temporal logic formula that 
specihes that behavior. Flence the name model checking for the verihcation meth- 
ods derived from this viewpoint. Surveys can be found in [CG87, Wol89, CGL93]. 

We distinguish between two types of temporal logics: linear and branching 
[Lam80]. In linear temporal logics, each moment in time has a unique possible 
future, while in branching temporal logics, each moment in time may split into 
several possible futures. The complexity of model checking for both linear and 
branching temporal logics is well understood: suppose we are given a program 
of size n and a temporal logic formula of size m. For a branching temporal logic 
such as GTL, model-checking algorithms run in time 0{nm) [GES86], while, for 
linear temporal logic such as LTL, model-checking algorithms run in time 
[LP85]. Since model checking with respect to a linear temporal logic formula is 
PSPAGE-complete [SG85], the latter bound probably cannot be improved. The 
difference in the complexity of linear and branching model checking has been 
viewed as an argument in favor of the branching paradigm. 

Model checking suffers, however, from the so-called state-explosion problem. 
In a concurrent setting, the program under consideration is typically the paral- 
lel composition of many modules. As a result, the size of the state space of the 
program is the product of the sizes of the state spaces of the participating mod- 
ules. This gives rise to state spaces of exceedingly large sizes, which makes even 
linear-time algorithms impractical. This issue is one of the most important one 
in the area of computer-aided verihcation and is the subject of active research 
(cf. [BGM+90]). 

Modular verihcation is one possible way to address the state-explosion prob- 
lem, cf. [GLM89, ASSS94]. In modular verihcation, one uses proof rules of the 
following form: 

Ml \= ipi 'I 

M2 \= lp2 > M1WM2 \= Ip 

C{lpi,lp2,lp) ] 

Here, M \= 9 means that the module M satishes the formula 9, the symbol 
denotes parallel composition, and C^ipi, ip2, ip) is some logical condition relating 
ipi, 1P2, and ip. Using modular proof rules enables one to apply model checking 
only to the underlying modules, which have much smaller state spaces. 

The state-explosion problem is only one motivation for pursuing modular ver- 
ihcation. Modular verihcation is advocated also for other methodological reasons; 
a robust verihcation methodology should provide rules for deducing properties 
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of programs from the properties of their constituent modules. Indeed, efforts 
to develop modular verihcation frameworks were undertaken in the mid 1980s 
[Pnu85b]. 

A key observation, see [Lam83, Jou83, MC81], is that in modular verihcation 
the specihcation should include two parts. One part describes the desired be- 
havior of the module. The other part describes the assumed behavior of the sys- 
tem within which the module is interacting. This is called the assume-guarantee 
paradigm, as the specihcation describes what behavior the module is guaranteed 
to exhibit, assuming that the system behaves in the promised way. 

For the linear temporal paradigm, an assume-guarantee specihcation is a pair 
where both Lp and ip are linear temporal logic formulas. The meaning 
of such a pair is that all the computations of the module are guaranteed to 
satisfy ip, assuming that all the computations of the environment satisfy ip. 
As observed in [Pnu85b], in this case the assume-guarantee pair {ip,ip) can be 
combined to a single linear temporal logic formula ip ^ ip (see also [JT95]). 
Thus, model checking a module with respect to assume-guarantee specihcations 
in which both the assumed and the guaranteed behaviors are linear temporal 
logic formulas is essentially the same as model checking the module with respect 
to linear temporal logic formulas. 

The situation is different for the branching temporal paradigm. Here the 
guarantee is a branching temporal formula, which describes the computation 
tree of the module. There are two approaches, however, to the assumptions in 
assume-guarantee pairs. The hrst approach, implicit in [CES86, EL85b, EL87] 
and made explicit in [Jos87a, Jos87b, Jos89, DDGJ89], is that the assumption 
in the assume-guarantee pair concerns the interaction of the module with its en- 
vironment along each computation, and is therefore more naturally expressed in 
linear temporal logic. Thus, in this approach, an assume-guarantee pair should 
consist of a linear temporal assumption ip and a branching temporal guaran- 
tee ip. The meaning of such a pair is that ip holds in the computation tree that 
consists of all computations of the program that satisfy ip. The problem of ver- 
ifying that a given module M satishes such a pair {ip,ip), which we call the 
linear-branching modular model- checking problem, is more general than either 
linear or branching model checking. 

A second approach was considered in [GL94], where assumptions are taken 
to apply to the computation tree of the system within which the module is 
interacting. Accordingly, assumptions in [GL94] are also expressed in branching 
temporal logic. There, a module M satishes an assume-guarantee pair {ip, ip) 
iff whenever M is part of a system satisfying ip, the system satishes ip too. 
We call this branching modular model checking. Furthermore, it is argued there, 
as well as in [DDGJ89, Jos89, GL9I, DGG93], that in the context of modular 
verihcation it is advantageous to use only universal branching temporal logic, 
i.e., branching temporal logic without existential path quantihers. That is, in a 
universal branching temporal logic one can state properties of all computations of 
a program, but one cannot state that certain computations exist. Gonsequently, 
universal branching temporal logic formulas have the helpful property that once 
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they are satisfied in a module, they are satished also in a system that contains 
this module. The focus in [GL94] is on using VCTL, the universal fragment of 
CTL, for both the assumption and the guarantee. 

In this paper, we focus on the branching modular model-checking problem, 
which we show to be a proper extension of the linear-branching modular model- 
checking problem. We consider assumptions and guarantees in both VCTL and in 
the more expressive VCTL*. Our key result is that modular model checking can 
be reduced to standard model checking. At the same time, we show that there is 
a signihcant penalty in computational complexity. The fundamental technique 
used here is the maximal-model technique introduced in [GL94]. It is shown there 
that with every VCTL formula Lp one can associate a maximal model (called 
the tableau of Lp in [GL94]) such that a module M satishes p precisely when M 
simulates (we dehne simulation later on). We use here automata-theoretic 
techniques for CTL* [VS85, EJ88] to construct maximal models for VCTL* for- 
mulas. While maximal models for VCTL involve an exponential blow-up, max- 
imal models for VCTL* involve a doubly exponential blow-up. The maximal- 
model technique yield optimal algorithms for modular model checking. We prove 
that the problem is PSPACE-complete for VCTL and is EXPSPACE-complete 
for VCTL*. We then show that the linear-branching model-checking problem is 
a special case of the branching modular model-checking problem, but that the 
EXPSPACE-hardness result apply already to assumptions in linear temporal 
logic. We also show that the increase in complexity is solely to the assump- 
tion part of the specihcation. This suggests that modular model checking in the 
branching temporal framework can be practical only for very small assumptions. 

2 Preliminaries 

2.1 The Temporal Logics LTL, CTL*, and CTL 

The logic LTL is a linear temporal logic. Eormulas of LTL are built from a set 
AP of atomic proposition using the usual Boolean operators and the temporal 
operators A ( “next time ” ), U { “until” ) , and U ( “duality of until” ) . We present 
here a positive normal form in which negation may be applied only to atomic 
propositions. Given a set AP, an LTL formula is dehned as follows: 

— true, false, p, or -ip, for p G AP. 

— ip \/ p, ip A p, Xip, ipU p, or ipU p, where ip and p are LTL formulas. 

We dehne the semantics of LTL with respect to a computation tt = (Tq, (Ti, . . ., 
where for every j > 0, we have that Uj is a subset of AP, denoting the set of 
atomic propositions that hold in the j’s position of tt. We denote the suffix 
(Tj, . . . of 7T by TT-^ . We use tt |= ^ to indicate that an LTL formula ip holds 

in the path tt. The relation |= is inductively dehned as follows: 

— Eor all 7T, we have that tt |= true and tt ^ false. 

— Eor an atomic proposition p G AP, we have tt |= p iff p G (Tq and tt |= -ip iff 
p ^ (To. 
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— -K \= tp \/ Lp \W t: \= Ip OY t: \= Lp . 

— 'K\='ip/\p\W'K\='ip and t: \= p. 

— TY \= xp) TY^ \=P’- 

— TY \= 'tpU p is there exists k > 0 such that ty'^ \= p and tt® |= ^ for all 
0 < i < k. 

— TY \= 'tpU p iS for every k > 0 for which ty^ p, there exists 0 < i < k such 

that 7T® 1= 

We denote the size of a formula p by \p\ and we use the following abbrevia- 
tions in writing formulas: 

— and interpreted in the usual way. 

— Ftp = tvvLeU Ip (“eventually”). 

— Gip = -iF-iip (“always”). 

The logic CTL* is a branching temporal logic. A path quantiher, E (“for 
some path”) or A (“for all paths”), can prehx an assertion composed of an 
arbitrary combination of linear time operators. There are two types of formulas 
in CTL*: state formulas, whose satisfaction is related to a specihc state, and 
path formulas, whose satisfaction is related to a specihc path. Formally, let AP 
be a set of atomic proposition names. A CTL* state formula (again, in a positive 
normal form) is either: 

— true, false, p or -ip, for p G AP. 

— Ip V p or Ip A p where ip and p are CTL* state formulas. 

— Eip or Alp, where ^ is a CTL* path formula. 

A CTL* path formula is either: 

— A CTL* state formula. 

— ip\! p, ip Ap, Xip, ipU p, or ipU p, where ip and p are CTL* path formulas. 

The logic CTL* consists of the set of state formulas generated by the above rules. 
The logic CTL is a restricted subset of CTL*. In CTL, the temporal operators 
X , U , and U must be immediately preceded by a path quantiher. Formally, it is 
the subset of CTL* obtained by restricting the path formulas to be Xip, ipUp, 
or IpU p, where ip and p are CTL state formulas. 

The logic 'iCTL* is a restricted subset of CTL* that allows only the universal 
path quantiher A. Note that since negation in CTL* can be applied only to 
atomic propositions, assertions of the form -<Aip, which is equivalent to E~<ip, are 
not possible. Thus, the logic VCTL* is not closed under negation. The logic VCTL 
is dehned similarly, as the restricted subset of CTL that allows the universal 
path quantiher only. The logics 3CTL* and 3CTL are dehned analogously, as 
the existential fragments of CTL* and CTL, respectively. Note that negating 
a VCTL* formula results in an 3CTL* formula. For example, ~<ApU {AXq) is 
equivalent to E[-<p)U{EX-<q). Conversely, negating a 3CTL* formula results in 
an VCTL* formula. 

The closure cl (ip) of a CTL* formula ip is the set of all state subformulas of 
Ip (including ip but excluding true and false). For example, cl{E{pU (AXq))) = 
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{E{pU (AXq)), p, AXq, q}. It is easy to see that the size of cl{ip) is linear in the 
size of Ip. We say that a CTL* formula is an 17 -formula if it is of the form 
AipiUip 2 or EipiUip'z- The subformula Lp 2 is then called the eventuality of cp. 
Similarly, is a 17 -formula if it is of the form AcpiU ip 2 or EcpiU cp 2 - We denote 
by AU (ip) the set of formulas of the from AipiUip 2 in cl ftp). The sets EU{'ip), 
AU{'ip), and EU {ip) are dehned similarly. 

We dehne the semantics of CTL* (and its sublanguages) with respect to fair 
Rabin modules {fair modules, for short). A fair module M = {AP, W, R, Wo, L, a) 
consists of a set AP of atomic propositions, a set W of states, a total transition 
relation R E W x W , a set ITo C IT of initial states, a labeling function L : 
IT — 7> 2*^^, and a Rabin fairness condition a; that is, a dehnes a subset of 
TT** (our choice of this type of fairness condition is technically motivated, as 
will be clarihed in the sequel). For a state w G IT, we use bd{w) to denote 
the branching degree of w, that is, the number of different i?-successors that 
w has. A computation of a fair module is a sequence of states, tt = wq, wi, . . . 
such that for every i > 0, we have that (wp Wi+i) G R. We extend the labeling 
function L to computations and denote by L{Tr) the word L{wo) ■ L{wi) ■ ■ ■. For 
a computation tt, let inf{Tr) denote the set of states that repeat inhnitely often 
in 7T. That is, 

inf{Tr) = {w : for inhnitely many i > 0, we have Wi = w}. 

A computation of M is fair iff it satishes the fairness condition a. Thus, if a 
is (Gi, Bi), . . . , (Gfe, Bfe)}, then tt is fair iff there exists 1 < i < k such that 
inf{Tr) n Gj- 7 ^ 0 and inf{Tr) C Bi = 0. In other words, iff tt visits Gi inhnitely 
often and visits Bi only hnitely often. We say that a fair module is nonempty iff 
there exists a fair computation that starts at an initial state. A module is a fair 
module with no fairness condition. That is, all the computations of a module are 
considered fair. We denote a module by M = {AP, W, R, Wo, L). 

We use w 1= to indicate that a state formula p holds at state w (assuming 
an agreed fair module M). The relation |= is inductively dehned as follows (the 
relation t: \= ip for a path formula ip is the same as for ip in LTL). 

— For all w, we have that w \= true and w ^ false. 

— For an atomic proposition p G AP, we have w \= p iff p ^ L{w) and w \= ~<p 

iff p ^ L{w). 

— w \= ip \/ Lp iff w \= ip or w \= Lp . 

— w\=ip/\p iff w\=ip and w \= p. 

— w \= Eip iff there exists a fair computation tt = wo,ivi, . . . such that wo = w 
and TO \= ip. 

— w \= Alp iff for all fair computations tt = wo, wi, . . . such that wo = w, we 
have TO \= ip. 

— 7T 1= p for a computation tt = wo, ivi, . . . and a state formula p iff wo \= P- 

A fair module M satishes a formula p, denoted M \= p, iff p holds in all initial 

states of M . The problem of determining whether a given fair module M satishes 
a formula p is the fair-model-checking problem. The complexity of fair model 
checking is very well understood. 
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Theorem 1. 

(1) [SC85, VW86] The fmr-model-checkmg problem for specification in LTL is 

PSPACE-complete. Determining whether M \= p for p in LTL can be done 
in time and space 0((logfc + /)^), where k is the size of M , and I is 

the length of p. 

(2) [CES86, KV95] The fair-model-checking problem for specification in CTL is 
PTIME-complete. Determining whether M \= p for p in CTL can be done 
in time 0(kl) and space 0(/log^fc), where k is the size of M , and I is the 
length of p. 

(3) [EL85a, KV95] The fair-model-checking problem for specification in CTL* 

IS PSPACE-complete. Determining whether M \= p for p in CTL* can be 
done in time and space 0(l(\ogk -\-l)^), where k is the size of M , and 

I IS the length of p. 

Since modular model-checking with assumption p and guarantee in LTL 
reduce to model checking the formula p ^ ip [Pnu85a], it follows that deter- 
mining whether M guarantees under the assumption p can be done in time 
pt 2 p{ipm) space 0((\ogk 1 m)^), where k is the size of M, I is the length 
of p, and m is the length of fi. 

2.2 Simulation Relation and Composition of Modules 

In the context of modular verihcation, it is helpful to dehne an order relation 
between fair modules [GL94]. Intuitively, the order captures what it means for 
a fair module M' to have “more behaviors” than a fair module M. Let M = 
{AP, W, R, Wo, L, a) and M' = {AP' , W' , R' , Wq, L' , a') be two fair modules for 
which AP' C AP, and let w and w' be states in W and W' , respectively. A 
relation H C W x W' is a simulation relation from {M,w) to {M',w') iff the 
following conditions hold: 

(1) H(w,w'). 

(2) Eor all s and s' , we have that H{s, s') implies the following: 

(2.1) L{s)nAP' = L{s'). 

(2.2) Eor every fair computation tt = sq, si, • • • in M , with sq = s, there 
exists a fair computation tt' = Sq, s(, . . . in M' , with Sq = s' , such that 
for all i > 0, we have H(si, s'fi. 

A simulation relation H is a simulation from M to M' iff for every w G Wo 
there exists w' G W'o such that R (w, w'). If there exists a simulation from M to 
M', we say that M simulates M' and we write M < M' . Intuitively, it means 
that the fair module M' has more behaviors than the fair module M. In fact, 
every possible behavior of M is also a possible behavior of M' . Note that our 
simulation is an extension of the classical simulation used by Milner [Mil71], 
where there are no fairness conditions. We sometimes relate module (with no 
fairness condition) with <. Then, we assume that all computations are fair, and 
the relation that follows coincides with the one in [Mil71]. 




388 O. Kupferman and M.Y. Vardi 
Theorem 2. [GL94] 

(1) The simulation relation < is a preorder (i.e., a reflexive and transitive or- 
der). 

(2) For every M and M' such that M < M' , and for every universal branching 
temporal logic formula p, M' \= p implies M \= p. 

Let M and M' be two modules. The composition of M and M', denoted 
is a module that has exactly these behaviors that are joint to M and 
M'. Formally, if M = (AP, W, R, Wo, L) and M' = (AP', W, R', WLL'), then 
M\\M' = {AP", W", R", W'f, L"), where, 

- AP" = APUAP'. 

- W" = {(w, w') : L(w) n AP' = L(w') n AP}. 

- R" = {((w, w'), {s, s')) : {w, s) E R and {w' , s') E R'}. 

- Wf = {Wo X Wf) n W". 

- For every {w, w') E W" , we have L" {{w, w')) = L{w) U L'{w'). 

We also dehne the composition of a fair module M with a module M' . 
Flere, M||M' is a fair module that has exactly these behaviors that are joint 
to M and M' and are fair in M. Formally, if M = {AP,W,R,Wo,L,a) and 
M' = {AP' ,W' , R' ,Wf L') , then M\\M' = {AP" ,W" ,R" ,Wf ,L" ,a"), where 
AP" , W" , R" , Wf , and L" are as in the composition of two modules, and 

- a" = {((G X W') n W", ((5 X W') n W") : {G, B) E a}. 

It is easy to see that if M and M' have n and n' states (that we assume to be 
disjoint), and M has m pairs in its fairness condition, then M||M' has nn' states 
and m pairs. 

The following properties of compositions are proven in [GL94] for fair Streett 
modules (modules where the fairness condition is Streett), and we prove them 
here for modules and fair Rabin modules. 

Theorems. For every module M and fair Rabin modules M' and M", the 
following hold. 

(1) IfM' < M" then M\\M' < M\\M" . 

(2) M' < M'\\M'. 

Proof: The proof is very similar to the proof for Streett modules given in 

[GL94]. We start with (1). Assume that M' < M" . Let H he & simulation 
from M' to M" . Let W be the states space of M . It is easy to see that the 
relation H' = }{{w,w'),{w,w")) : H{w',w")} is a simulation from M||M' to 
M\\M" . In order to prove (2), recall that the state space of M'\\M' is W' x IF', 
where IF' is the state space of M' . Therefore, it is easy to see that the relation 
PI = }{w' , {w' , w'))} is a simulation from M' to M'\\M' . □ 
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A fair module M is a maximal model for an VCTL* formula Lp if it allows 
all behaviors consistent with p. Formally, M is a maximal model of if M |= 
and for every fair module M' we have that M' < M if M' \= p. Note that by 
the preceding theorem, if M' < M , then M' \= p. Thus, is a maximal model 
for Lp if for every fair module M , we have that M < iff M \= p. 

Theorem 4. [GL94] For every 'i CTL formula p, there exists a maximal model 
M^p o/ szze 

2.3 Biichi Word Automata 

Given an alphabet E, an infinite word over E is an inhnite sequence w = 
wi ■ W 2 ■ ws ■■■ of letters in E. A Biichi automaton over infinite words is A = 
{E, Q,S, go, F), where E is the input alphabet, Q is a hnite set of states, (i : 
Q X A — 2*5 is a transition function, Qo G Q is a set of initial states, and F C Q 
is an acceptance condition (a condition that dehnes a subset of Q“). Intuitively, 
S{q, cr) is the set of states that A can move into when it is in state q and it reads 
the letter cr. Since A may have several initial states and since the transition 
function may specify many possible transitions for each state and letter, A may 
be nondeterministic. If = 1 and 6 is such that for every q E Q and a E E, 
we have that \S{q, cr)| = 1, then A is a deterministic automaton. 

Given an input inhnite word w = cq ■ ci ■ ■ ■ E A“ , a run of A on w can be 
viewed as a function r : IN — ;> Q where r(0) E (i-e., the run starts in one of 
the initial states) and for every i > 0, we have r(i + 1) G S{r{i), cfi (i.e., the run 
obeys the transition function). Each run r induces a set inf{r) of states that r 
visits infinitely often. Formally, 



inf{r) = {q E Q '■ for inhnitely many i > 0, we have r{i) = q}. 



As Q is hnite, it is guaranteed that Inf{r) 0. The run r accepts w iff Inf{r) H 
T 0. Note that a nondeterministic automaton can have many runs on w. In 
contrast, a deterministic automaton has a single run on w. An automaton A 
accepts an input word w iff there exists a run r of A on w such that r accepts 
w. The language of A, denoted C{A), is the set of inhnite words that A accepts. 
Thus, each word automaton dehnes a subset of A“ . 

Gomputations of a fair module can be viewed as inhnite words over the 
alphabet 2^^. According to this view, each fair module corresponds to a language 
over the alphabet 2^^ and can be associated with an automaton. A similar 
connection has been established between LTL formulas and Buchi automata: 



Theorems. [VW94] Given an LTL formula ip, there is a Biichi automaton 
Ap = {2^^ ,Q,6,Qo,F), with states, such that C[Ap) is exactly the set 

of computations satisfying ip. 
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2.4 Branching Modnlar Model-Checking for VCTL 



In modular verification, one uses assertions of the form to specify that 

whenever M is part of a system satisfying the universal branching temporal logic 
formula cp, the system satishes the universal branching temporal logic formula 
Ip too. Formally, {ip)M{ip) holds if M\\M' \= ip for all M' such that M\\M' \= p. 
Flere Lp is an assumption on the behavior of the system and ip is the guarantee 
on the behavior of the fair module. Assume-guarantee assertions are used in 
modular proof rules of the following form: 



{pi)Mi{ipi) 

{true)Mi{pi) 

{p2)M2{lp2) 

{true)M2{p2) 



(trne)Mi||M2(V’i A 1 P 2 ) 



Thus, a key step in modular verihcation is checking that assume-guarantee 
assertions hold, which we call the branching modular model- checking problem. It 
was shown in [GL94] that the maximal-model technique yields a solution to the 
modular model-checking problem. 



Theorem 6. [GL94] For allM CTL formulas p and ip, and for every fair module 
M, we have that {p)M{ip) iff M\\M,^ |= ip. 



Thus, modular model checking for VGTL is reducible to standard model check- 
ing for VGTL. Gombining this with Theorems 4 and 1, we get the following 
complexity results. 



Theorem 7. 

(1) Determining whether {p)M{ip), for p and ip in MCTL, can be done in time 

and space 0{m{\ogk -\- lY) , where k is the size of M , I is the length 
of p, and m is the length of ip. 

(2) Determining whether {p)M{ip), for p in MCTL and ip in 'iCTL*, can be 

done in time and space 0{m{\ogk -\- 1 -f m)^), where k is the size 

of M , I IS the length of p, and m is the length of ip. 

A comparison of Theorem 7 with Theorem 1 shows that the complexity of 
branching modular model checking with assumptions in VGTL is higher than the 
complexity of GTL model checking, but is comparable to the complexity of LTL 
model checking. How do LTL and VGTL compare from the expressiveness point 
of view? While VGTL and LTL have incomparable expressive power, in practice 
one often hnds LTL to be more expressive, as the specihcations that can be 
expressed in VGTL but not in LTL rarely arise in practical settings. Since the 
complexity of GTL model checking is lower than that of LTL model checking 
(Theorem 1), we are often willing to settle for the lower expressiveness of GTL; 
that is, we are willing to verify the design with respect to weaker specihcations, 
with the hope that design errors will be discovered in the process. For exam- 
ple, a signihcant portion of verihed properties are safety properties that can be 
expressed as AGp, where is a propositional formula. 
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While we might be willing to settle for a weak guarantee, we cannot, however, 
settle for weak assumptions. In many cases one needs to adopt rather strong 
assumptions in order to verify even a very weak guarantee. Very often such 
assumptions are simply not expressible in VCTL. For example, the assumption 
AFGip, where is a propositional formula, cannot be expressed in VCTL[EH86]. 
Thus, VCTL is simply not expressive enough as a specihcation language for 
modular model checking. In the next section we will consider using VCTL* and 
LTL as specihcation languages for assumptions in modular model checking. 

3 Modular Model-Checking for VCTL* and LTL 

3.1 Maximal Models 

We now consider assumptions in VCTL*, and we wish to construct maximal mod- 
els for such assumptions. Unfortunately, the tableau-based technique that was 
used in the proof of Theorem 4 does not seem to extend to VCTL*. Indeed, while 
the satishability problem for CTL can be solved using tableau-based technique 
[EH85], the satishability problem for CTL* requires sophisticated automata- 
theoretic techniques [EJ88]. We now show that these automata-theoretic tech- 
niques can be used to construct maximal models for VCTL* formulas. 

Theorems. For every 'iCTL* formula Lp, there exists a maximal model of 

r,2°(lvl) 

Size 2 

Proof: For a VCTL* formula cp, let sf{ip) denote the set of state subformulas 

of ip. Given cp, let 'i(ip) C sf{ip) denote the set of all the state subformulas of ip of 
the form TC Let dv(^) be a Buchi w-automaton over S = 2®-^ V) such that dv(^) 
accepts an inhnite word tt = wq, wi, . . . iff there exists a sufhx Wi, . . . of tt 

and a formula Af G V(<,c>) such that Af G Wi and Wi, . . . does not satisfy 
f. Technically, dv(^) nondeterministically guesses a location i and a formula Af 
and then follows the Buchi w-automaton of -i^. Consequently, if wp . . . 

does not satisfy the automaton dv(^) would accept tt. By Theorem 5, such 
of size exists. Note that though ^ is a path formula of a branching 

temporal logic, we interpret it here over linear sequences. Since these sequences 
are labeled with all the state subformulas of this causes no difhculty, as we 
can regard the state subformulas of f as atomic propositions and regard ^ as a 
linear temporal logic formula. 

We now take dv(^) and co-determinize it. The resulted automaton, called 
dv(^), is a deterministic Rabin automaton that accepts exactly all the words 
7T = wojivi, . . . for which if a state Wi is labeled with some Af G V(<,c>), then f 
is satished in the sufhx Wi, Wi+i, . . . of tt. By [Saf89], the automaton dv(^) is of 
Size 2 

For a set s C sf{p), we say that s is consistent iff the following four conditions 
hold: 



1. For every p G AP, if p G s, then -ip ^ s. 
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2. For every p G AP, if -ip G s, then p ^ s. 

3. For every Lpi !\Lp 2 ^ s, we have that Lpi ^ s and Lp 2 £ s. 

4. For every V <,£>2 £ s, we have that <,£>i £ s or £ s. 

Let c((p) denote the set of all consistent subsets of sf{ip). Consider the module 
M = {AP, c{ip),c{ip) X c{ip), Wo, L), 

where the initial set Wo includes all states w G c((p) for which ip (E w (note 
that if ip is satishable, the set Wo is not empty), and for every w G c{p), we 
have that L{w) = w C AP. That is, M is more general than any model of p, 
yet, it is not necessarily a model of p. To make it a maximal model, we take 
the product of M with ■4y(^) as follows. Let ■4y(^) = {^ ,Q P) , where 
p = {{Gi,Bi),...,{Gk,Bk)}. Then, = {AP,c{p) x Q,R,Wo x {qo},V,p'), 
where R, L' , and [3' are dehned as follows. 

— R = {((w, q), {w', q')) : 5{q, w) = q'}. 

— For all w G c{p) and g £ Q, we have L'{{w, q)) = L{w). 

— I3' = {{c{p) X Gi,c{p) X Bi), . . ., {c{p) X Gk,c{p) x Bk)}. 

We now prove the correctness of our construction. That is, we show that M,p \= p 
and that for all fair modules M , we have M p only if M < M,p We hrst 
prove that M,p \= p. More precisely, we prove that for every reachable state 
{w,q) £ c{f) X Q, and for every formula ip ^ w, we have that {w,q) \= ip. 
The proof proceeds easily by induction on the structure of ip. In particular, 
satisfaction of formulas of the form Ap follows from the product with ,4y(,^). To 
see this, consider a state {w, q) and a formulaT^ G w. Let {wi, qp), {u) 2 , qo), ... be 
a fair computation of M,p that starts in {w, q); that it, {wi, qp) = {w, q). By the 
dehnition of R and [3' , the sequence wi,W 2 , ... G a sufhx of a word accepted by 
-4v(y)- Hence, for all formulas of the form Ap' G w, the computation wi, W 2 , . . . 
satishes p' . Thus, in particular, wi, W 2 , . . . satishes p. 

Consider now a fair module M = {AP, Wm, Rm, VV^, Lm, cim) and assume 
that M \= p. We show a simulation H from M to M,^. For every state w G IFm, 
dehne f{w) to be the set in c{p) of state formulas that are true in w. The 
simulation H is the smallest set that satishes the following: 

— For every w G W^, we have H [w, {fpw), qo))- 

— For every wi, W 2 in Wm and {f{wi), qp) G c{p) x Q such that {wi, wp) £ Rm 
and H{wi,{f{wi),qP)), we have H{w 2 ,{f{w 2 ),S{qi,f{wi)))). 

We prove that H is indeed a simulation from M to M,p. That is, we prove 
that for all w G FF^, there exists w' G Wo x {go} such that is a simulation 
relation from {M , w) to (M,^, w') . Consider a state w G IF}}. Since M \= p, then, 
by the dehnition of f{w) and IFo, we have {f{w), qo) £ IFo x {go}, and hence, by 
the dehnition of H , we have H {w, {f{w), qo)) - Now, let w G IFm and {f{w), q) G 
c{p) X Q he such that H{w, {f{w), g)). By the dehnition of H , all the pairs in H 
are of this form. By the dehnition of L' , we have that L' [{fpw), q)) = Lm[w). So, 
the hrst requirement on pairs in a simulation holds. For the second requirement. 
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assume H {w , {f (w) , q)) and let tt = wo,wi,... be a fair computation in M 
with wq = w. Consider the computation tt' = where 

qi = S{q, f{w)) and for every i > 1, we have qi^i = S{qi, f{wi)). By the dehnition 
of H, we have that for all i > 1 we have H{wi, qi)). So, it remains to 

show that tt' is fair in M^. Since M \= ip and tt is fair, then for each state Wi 
and formula G '^(v) such that G f{wi), we have that ^ is satished in 
Wi, . . .. Thus, qi, qi+i, ... is an accepting run of ■4y(^) with qi as an initial 

state over Wi, Wi+i, . . .. Therefore, by the dehnition of [3' , the computation tt' is 
fair. □ 

We can now obtain an alternative proof of Theorem 4. 

Theoreni9. For every MCTL formula ip, there exists M,p of size 

Proof: Exactly as for VCTL*. Here, however, ■4y(^) is of size 0(\p\), and hence 

A'i(ip) is of size □ 

3.2 The Branching Modnlar Model-Checking Problem 

We now show the maximal-model technique enables us to reduce modular model 
checking to standard model checking. 

Theorem 10. For all 'iCTL* formulas p and ip, and for every fair module M, 
we have that {p)M{ip) iff M\\M,p \= ip. 

Proof: Assume hrst that {p)M{ip). Thus, whenever M is part of a system 

satisfying p, the system satishes ip too. Since M,p \= p and < M,p, we 

have, by Theorem 2 (2), that satishes p. Consequently, satishes 

ip. 

Assume now that M\\M,p \= ip and let M\\M' be such that M\\M' \= p. Then, 
M\\M' < M,p, which implies, by Theorem 3 (1), that M||M||M' < M\\M,^. 
Thus, by Theorem 3 (2), M||M' < M\\M,^ and therefore, by Theorem 2 (2), 
M||M' 1= ip. Hence, {p)M{'ip). □ 

It follows that branching modular model checking can be reduced to fair 
model checking. In Theorem 11 below we apply the reduction to the logics VCTL 
and VCTL*. We also show that the upper bounds that follow are tight. 

Theorem 11. 

(1) The branching modular model- checking problem for \/ CTL is PSPACF-complete. 

( 2 ) The branching modular model- checking problem for 'i CTL* is FXPSPACF- 
complete. 

( 3 ) Determining whether {p)M{ip), for p and ip in MCTL* , can be done in time 

p 20 (rn )+2 space 0(m(m + \ogk + where I is the length of p, 

k IS the size of M , and m is the length of ip. 




394 O. Kupferman and M.Y. Vardi 

(4) Determining whether {ip)M{ip), for Lp in 'iCTL* and ip in MCTL, can be 

done in time km^"^ in space 0(m(log where I is the length of 

Lp, k IS the size of M , and m is the length ofip. 

Proof: We start with the upper bounds. By Theorem 10, the problem of de- 
termining whether {p)M{ip) is reducible to model checking of ip in The 

upper bounds bounds then follow from Theorems 1 and 8. 

We now turn to the lower bounds. For both bounds, we do a reduction from 
the implication problem. The implication problem is dehned as follows: given 
two formulas p and ip, does p imply ip (denoted p ip)7 Namely, does ip hold 
in every fair module in which p holds? For a set AP of atomic propositions, let 
Map be the maximal model over AP. That is. 

Map = {AP, 2^^, 2^^ x 2^^, 2^^, L, {(2^^, 0)}), 

where for all w e 2^-^ we have that L[w) = w. Let p and ip be VCTL* formulas 
over a set AP of atomic propositions. For every fair module M , the fair modules 
M and M\\Map simulate each other. Flence, for every VCTL* formula p over 
AP we have that M\\Map \= p M \= p. Thus, the implication p ^ ip holds 
iff {p)Map{iP). The complexity of the reduction depends on the size of Map- 
We will show that for both VCTL and VCTL*, the size of Map is hxed. 

To prove the PSPACE lower bound for the implication problem for VCTL, 
we prove a PSPACE lower bound for its satishability problem. The result then 
follows since the formula p is satishable if and only if p does not imply Afalse. 
We prove hardness in PSPACE for VCTL satishability by a reduction from LTL 
satishability, proved to be PSPACE-hard in [SC85]. Given an LTL formula^, let 
Pa be the VCTL formula obtained from f by preceding each temporal operator 
with the path quantiher A. For example, if ^ = FXp then Pa = AF AXp. It is 
easy to see that f is satishable iff Pa is satishable. Indeed, a computation that 
satishes f can be viewed as a fair module satisfying Pa - For the second direction, 
assume that Pa is satishable in some fair module M . Consider a fair computation 
7T of M. We can view tt as a fair module of branching degree 1. Clearly, tt 
simulates M , and thus, it satishes Pa as well. Also, since its branching degree 
is 1, the computation tt also satishes f. Thus, f is satishable. The satishability 
problem for LTL is PSPACE-hard already for formulas with a hxed number 
of atomic propositions. The PSPACE-hardness proof in [SC85] uses temporal 
formulas with an unbounded number of atomic propositions. Nevertheless, By 
using a Turing machine M that accepts a PSPACE-complete language, it is 
possible to bound the number of atomic propositions used to the size of the 
working alphabet of M. Since it is possible to encode the truth values of m 
atomic propositions in one state by the truth values of a single atomic proposition 
along log m states, it follows that satishability of temporal formulas with a single 
atomic proposition is also PSPACE-hard. It follows that the implication problem 
for VCTL is PSPACE-hard already for formulas with a hxed number of atomic 
propositions. Thus, the size of Map in our reduction is hxed. 

To prove the EXPSPACE lower bound for the implication problem for VCTL* , 
we do a reduction from the problem whether an exponential-space deterministic 
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Turing machine T accepts an input word x. That is, given T and we construct 
two VCTL* formulas Lp and ip such that T accepts * iff does not imply ip. In 
fact we prove a stronger lower bound. Given T and x, we construct an LTL 
formula p and an 3CTL formula 6 such that the length of p is polynomial in the 
size of T and the length of x, the length of 6 is hxed, and T accepts an input 
word X iff the formula Ap A 6 is satishable. Thus, taking Lp = Ap and ip = ~i6, 
we have that T accepts x iff the implication p ^ ip does not hold. Thus, the 
branching modular model-checking problem is EXPSPACE-complete even for 
an assumption of the form Ap, where p is an LTL formula, a hxed fair module, 
and an VCTL guarantee. Eor details see [KV95]. □ 

Note that the crucial factor in the complexity of the branching modular 
model checking problem is the assumption part of the specihcation. Indeed, the 
lower bounds given in Theorem 11 remains true even is we Rx the guarantee part 
of the specification. This suggests that modular model checking in the branching 
temporal framework can be practical only for very small assumptions. Indeed, 
in many examples the assumptions do tend to be of a very small size [Jos87b, 
Jos89, GL94], see also [AL93]. We will come back to this point in Section 4. 



3.3 The Linear-Branching Modnlar Model-Checking Problem 

The modular proof rule in the preceding section uses branching assumptions and 
guarantees. As mentioned in the introduction, there is another approach in which 
the assumption is a linear temporal formula, while the guarantee is a branching 
temporal formula. In this approach, the assumption in the assume-guarantee 
pair concerns the interaction of the module with its environment along each 
computation, and is therefore more naturally expressed in a linear temporal 
logic. We denote this kind of assertion by [p]M{ip). The meaning of such an 
assertion is that the branching temporal formula ip holds in the computation 
tree that consists of all computations of the program that satisfy the linear 
temporal formula p. 

The idea is to use assume-guarantee assertions in modular proof rules of the 
following form [Jos87a, Jos87b, Jos89]: 

[p2]Mi{lpi) 

[true]Mi{hr{pi)) 

[pi]M2{lp2) 

[true]Mi{hr{p2)) 

where hr{p) is a branching version (it is an VCTL formula) of the LTL formula 
p; see above references for details. Verifying assertions of the form [p]M{ip) is 
called the Unear-branchmg modular model-checkmg problem. 

In order to define the linear-branching model checking problem formally, 
we define extended module, s. An extended module (M, P) is a module M = 
{AP, W, R, Wo, L) extended by a language P C (2^-^)“ . We regard P as a fairness 
condition: a computation tt of M is fair iff L{Tr) G P. Unlike the Rabin fairness 



I [true] Ml 1 1 M2 (V"! A 1P2) 
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condition, fairness of a computation tt with respect to P cannot be determined 
by the fairness of any of tt’s sufhxes. Therefore, in order to dehne the semantics 
of CTL* formulas with respect to extended modules, we hrst associate with 
each module M a tree module M* . Intuitively, M* is obtained by unwinding 
M to an inhnite tree. Let M = {AP, W, R, Wo, L). A partial path C in M is a 
hnite prehx, wo,wi, . . . ,Wk, of a computation in M , where wq G Wq- We denote 
the set of partial paths of M by ppath(M). The tree module of M is M* = 
{AP,ppath{M), R* , {wq}, L*), where for every partial path C = wo,...,Wk G 
ppath(M), we have 

— R*{C,C) iff there exists w^+i G W such that C' = wq, ■ ■ ■ ,Wk,Wk+i and 
R{wk,Wk+i). That is, the partial path C' extends the partial path C by a 
single transition in M . 

— L*{C) = L{wk). 

Note that M* is indeed a tree; every state has a unique predecessor. A compu- 
tation Co, Cl) • • • in Af* is an anchored path iff Co is in ITo. 

The semantics of CTL* with respect to tree modules extended by a fairness 
condition P C (2*^^)“ is dehned as the usual semantics of CTL*, with path 
quantihcation ranging only over anchored paths that are labeled by a word in 
P. Thus, for example, 

— C 1= -E'C if there exists an anchored path tt = Co, • • • , Co C'-i-i, • • • of M* and 
i > 0 such that L{Tr) G P, Q = C, nnd tt® |= C- 

— C 1= if for all anchored paths tt = Co , • • • , Cl, C'-i-i , • • • of M* and i > 0 such 
that L(tt) G P and Q = (, we have tt® |= C- 

Note that by dehning the truth of formulas on the nodes of the computation 
tree M* , we guarantee that only one path leads to each node. The extended tree 
module {M* , P,^) satishes a formula ip iff {wq} |= ip. We say that {M,P) \= ip 
iff (M‘, P) \= ip. Now, [ip]M{'ip) holds iff {M, P,^) \= ip, where P,^ is the set of all 
that computations that satisfy 

We hrst show that when the language P is given by a deterministic Rabin 
automaton, we can translated the extended modules (M, P) to an equivalent fair 
module. 

Lemma 12. Let {M,P) be an extended module and let Ap be a deterministic 
Rabin automaton such that C{Ap) = P. fTe can construct a fair module M' 
such that for every CTL* formula ip, we have that {M,P) \= ip iff M' \= ip. 
Moreover, M' < M\\M'. 

Proof: Let M = {AP,W,R,Wo,L) and Ap = {2^^ , Q, S, go, F). We dehne 
M' = {AP, W X Q, R' , Wo X {go}, T', a), where 

— R'({w, q), {w' , q')) iff R(w, w') and 5(q, L(w)) = q' . 

^ We note that the formal dehnitions of \}p\M{p>) in [Jos87a, Jos87b, Jos89] apply 
only to restricted linear temporal assumptions and involve a complicated syntactic 
construction. 
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- L'{{w,q)) = L{w). 

- a = {{W xG,W X B) : {G, B) e F}. 

We prove that {M* , P) and M' satisfy the same CTL* formulas. For a state 
C = wo,...,Wk G ppath(M), we denote by last(() the state Wk G W, and 
denote by (t(C) the hnite word L[wq) ■ ■ ■ L(wk) G (2^-^)*. Also, for a hnite word 
a G (2^-^)*, let cr) be the state that Ap reaches after reading cr. 

The fact that every state in M* is associated with a single partial path of M 
enables us to relate the states of M* with the states of M' . Formally, we claim the 
following. For every CTL* formula ip and state (p in (M*, P), we have that C, \= ip 
in (M‘, P) iff (last((), S(qo, cr(C))) |= in M'. In particular, {wo} |= V" in , P) 
iff (wq, qo) 1= V" in M' . The proof proceeds by induction on the structure of ip. The 
interesting case is ^ = Ap or ip = Bp, for a path formula p. Let ip = Ap. Assume 
hrst that C |= ^ in (M*, P). Then, for every anchored path tt = (o, ■ ■ ■ ,0, C'+i; • • • 
of M* such that L(7t) G P and (i = (, we have that tt® |= ^ in (M* , P). Consider 
a fair computation p = (wq, 9o), • • • , (n’p (n’i+i, 7i+i), • • • in M' for which 
{wi,qP) = (last(C),S(qo,(T(C))). Let tt = Co, • --XiXi ' m+iXi ' m+i ■ w*+ 2 , • • • 
be the anchored path in M* that corresponds to p. Since p is fair, L(7 t) G P. 
Hence, Cp Ci'^’j+i'n’i+o, • • • satishes p. Then, by the induction hypothesis, 

{wi, qP), {wipi, qipi), . . . satishes p as well and we are done. The proof for ip = Bp 
is similar. 

It is left to see that M' < M\\M'. Recall that the state space of M\\M' is 
IT X IT X Q. Intuitively, since M' is a restriction of M , composing M' with M 
does not restrict it further. Formally, it is easy to see that the relation 

H = {((w, q), {w, w, q)) : (w, g) G IT X Q} 
is a fair simulation from M' to M||M. 

□ 

To solve the the linear-branching model-checking problem, we show that the 
branching modular framework is more general than the linear-branching modular 
framework. Thus, the algorithms discussed in Section 3.2 are applicable also here. 

Theorem 13. For every LTL formula p, fair module M, and a VCTL* formula 
Ip, we have that {Ap)MX) ^ffVp\^X)- 

Proof: Given p, M, and ip, assume hrst that [ip]M{ip) holds. Let be the 

set of computations satisfying (p. Thus, the extended module {M,PX satishes 
Ip. Consider the composition M||M' of M with some module M' . Recall that 
for M and M' with state spaces IT and IT', respectively, the state space IT" of 
M||M' consists of all the pairs {w, w') for which w and w' agree on the labels of 
the atomic propositions joint to M and M' . Then, the relation 

P[ = {((w, w'), w) : {w, w') G IT"} 

is a simulation relation from M||M' to M. It is easy to see that H is also a 
simulation relation from {M\\M' , to {M,PX- Hence, {M\\M' , satishes 
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Ip as well. Let M' be such that M||M' |= Acp. That is, all the computations 
in M||M' satisfy cp. Hence, the identity relation is a simulation relation from 
M\\M' to {M\\M' , P^). Therefore, as {M\\M' , P^) satishes ip, so does M\\M', 
and we are done. 

Assume now that {Aip)M{ip) holds. Let Mai^ be the maximal model of Acp. 
Since Maip \= Ap and M\\Ma^ < Maip, we have that M\\Maip \= Ap and there- 
fore, by the assumption, M\\Maip \= ip- Let M' be the fair module equivalent 
to (M, P,p), as dehned in Lemma 12. That is, (M, P,^) and M' satisfy the same 
CTL* formulas. Since (M, P,^) \= Acp, we have that M' \= Acp. Hence, M' < Mai^ 
and therefore, by Theorem 2 (2), M||M' < M\\Ma(p- Hence, as M\\Maip \= ip, 
we have that M\\M' \= ip. Since, by Lemma 12, M' < M'\\M , it follows that M' 
satishes ip as well. Hence, (M, P,^) also satishes ip and we are done. □ 

It is known that the VCTL formula AF AGp is not equivalent to any for- 
mula of the form Ap, where p is an LTL formula. Thus, the branching modular 
framework is strictly more expressive than the linear-branching modular frame- 
work, with no increase in worst-case computational complexity (we have seen, 
in the proof of Theorem 11, that the EXPSPACE lower bound holds already for 
assumptions of the form Ap for an LTL formula p). 

4 Concluding Remarks 

The results of the paper indicate that modular model-checking for general uni- 
versal or linear assumptions is rather intractable. Our results provide an a pos- 
teriori justihcation for Josko’s restriction on the linear temporal assumption 
[Jos87a, Jos87b, Jos89]. Essentially, for a restricted linear temporal assump- 
tion ip, one can get a more economical automata-theoretic construction of the 
maximal model associated with the CTL* formula Ap (exponential rather than 
doubly exponential). We note that it is argued in [LP85] that an exponential 
time complexity in the size of the specihcation might be tolerable in practical 
applications. 

There is, however, a fundamental difference between the impact that the 
guarantee and the assumption have on the complexity of model checking. Both 
assumption and guarantee are often given as a conjunction of formulas. That is, 
we are often trying to verify assume-guarantee assertions of the form 

((,£>1 A ... A pi)M{ipi A ... A 1pm)- 

Each conjunct expresses a certain property about a module or its environment. 
Typically, each conjunct is of a rather small size. While it is possible to decom- 
pose the guarantee and reduce the problem to verifying assertions of the form 
{pi A ... A pi)M{ip), where ip is of small size, it is not possible in general to de- 
compose the assumption in a similar fashion. Thus, it may seem that in trying to 
employ modular verihcation in order to overcome the state-explosion problem, 
we are merely replacing it with the assumption-explosion problem. 
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This observation provides a justification to the approach taken in [CLM89] 
to avoid the assume-guarantee paradigm. Instead of describing the interaction of 
the module by an LTL formula, it is proposed there to model the environment 
by interface processes. As is shown there, these processes are typically much 
simpler than the full environment of the module. By composing a module with 
its interface processes and then verifying properties of the composition, it can 
be guaranteed that these properties will be preserved at the global level. 
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Composition: A Way to Make Proofs Harder 



Leslie Lamport 

Systems Research Center, Digital Equipment Corporation 



Abstract. Compositional reasoning about a system means writing its 
specification as the parallel composition of components and reasoning 
separately about each component. When distracting language issues are 
removed and the underlying mathematics is revealed, compositional rea- 
soning is seen to be of little use. 



1 Introduction 

When an engineer designs a bridge, she makes a mathematical model of it and 
reasons mathematically about her model. She might talk about calculating rather 
than reasoning, but calculating to three decimal places is just a way of 
proving \V2 — 1.414| < 10“^. The engineer reasons compositionally, using laws of 
mathematics to decompose her calculations into small steps. She would probably 
be mystified by the concept of compositional reasoning about bridges, finding it 
hard to imagine any form of reasoning that was not compositional. 

Because computer systems can be built with software rather than girders and 
rivets, many computer scientists believe these systems should not be modeled 
with the ordinary mathematics used by engineers and scientists, but with some- 
thing that looks vaguely like a programming language. We call such a language a 
pseudo-programming languages (PPL). Some PPLs, such as CSP, use constructs 
of ordinary programming languages. Others, like CCS, use more abstract nota- 
tion. But, they have two defining properties: they are specially designed to model 
computer systems, and they are not meant to implement useful, real-world pro- 
grams. 

When using a pseudo-programming language, compositional reasoning means 
writing a model as the composition of smaller pseudo-programs, and reasoning 
separately about those smaller pseudo-programs. If one believes in using PPLs 
to model computer systems, then it is natural to believe that decomposition 
should be done in terms of the PPL, so compositionality must be a Good Thing. 

We adopt the radical approach of modeling computer systems the way en- 
gineers model bridges — using mathematics. Compositionality is then a trivial 
consequence of the compositionality of ordinary mathematics. We will see that 
the compositional approaches based on pseudo-programming languages are anal- 
ogous to performing calculations about a bridge design by decomposing it into 
smaller bridge designs. While this technique may occasionally be useful, it is 
hardly a good general approach to bridge design. 

W.-P. de Roever, H. Langmaack, and A. Pnueli (Eds.): COMPOS’97, LNCS 1536, pp. 402-423, 1998. 

Springer-Verlag Berlin Heidelberg 1998 
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2 The Mathematical Laws of Composition 

Mathematical reasoning is embodied in statements (also called theorems) and 
their proofs. The reasoning is hierarchical — the proof of a statement consists of 
a sequence of statements, each with its proof. The decomposition stops at a level 
at which the proof is sufficiently obvious that it can be written as a short, simple 
paragraph. How rigorous the proof is depends on what “obvious” means. In the 
most rigorous proofs, it means simple enough so that even a computer can verify 
it. Less rigorous proofs assume a reader of greater intelligence (or greater faith). 
We will use the notation introduced in [10] to write hierarchical proofs. 

Two fundamental laws of mathematics are used to decompose proofs: 

A-Composition A => B V -Composition A => (7 

C C 

T^WTTC Ay C 

Logicians have other names for these laws, but our subject is compositionality, 
so we adopt these names. A special case of V-composition is: 

Case-Analysis A A B => (7 
A A -iB => C 
A^ C 

The propositional A- and V-composition rules have the following predicate-logic 
generalizations: 

V -Composition (i G S) A P ^ Q(i) 

B ^ (Vi G S' : Q(i)) 

3 -Composition (i G S) A B(i) => Q 
(3i G S : P{i)) ^ Q 

Another rule that is often used (under a very different name) is 

Act-Stupid A => (7 

AaB ^ C 

We call it the act-stupid rule because it proves that A A B implies C by ignoring 
the hypothesis B. This rule is useful when B can’t help in the proof, so we need 
only the hypothesis A. Applying it in a general method, when we don’t know 
what A and B are, is usually a bad idea. 

3 Describing a System with Mathematics 

We now explain how to use mathematics to describe systems. We take as our 
example a digital clock that displays the hour and minute. For simplicity, we 
ignore the fact that a clock is supposed to tell the real time, and we instead just 
specify the sequence of times that it displays. A more formal explanation of the 
approach can be found in [9]. 
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3.1 Discrete Dynamic Systems 

Our clock is a dynamic system, meaning that it evolves over time. The classic way 
to model a dynamic system is by describing its state as a continuous function of 
time. Such a function would describe the continuum of states the display passes 
through when changing from 12:49 to 12:50. However, we view the clock as a 
discrete system. Discrete systems are, by definition, ones we consider to exhibit 
discrete state changes. Viewing the clock as a discrete system means ignoring 
the continuum of real states and pretending that it changes from 12:49 to 12:50 
without passing through any intermediate state. We model the execution of a 
discrete system as a sequence of states. We call such a sequence a behavior. To 
describe a system, we describe all the behaviors that it can exhibit. 

3.2 An Hour Clock 

A First Attempt To illustrate how systems are described mathematically, we 
start with an even simpler example than the hour-minute clock — namely, a clock 
that displays only the hour. We describe its state by the value of the variable 
hr. A typical behavior of this system is 

[hr = 11] [hr = 12] [/jr = 1] [hr = 2] ■ ■ ■ 

We describe all possible behaviors by an initial predicate that specifies the pos- 
sible initial values of hr, and a next- state relation that specifies how the value 
of hr can change in any step (pair of successive states). 

The initial predicate is just hr € {1, . . . , 12}. The next-state relation is the 
following formula, in which hr denotes the old value and hr' denotes the new 
value. 

{{hr = 12) A {hr = 1)) V {{hr ^ 12) A {hr = hr 1)) 

This kind of formula is easier to read when written with lists of conjuncts or 
disjuncts, using indentation to eliminate parentheses: 

V A /jr = 12 
^hr' = l 

V A /jr 12 

f\ hr' = hr -\-l 

There are many ways to write the same formula. Borrowing some notation from 
programming languages, we can write this next-state relation as 

hr' = if hr = 12 then 1 else hr 1 

This kind of formula, a Boolean-valued expression containing primed and un- 
primed variables, is called an action. 

Our model is easier to manipulate mathematically if it is written as a single 
formula. We can write it as 



AhrG { 1 ,..., 12 } 

A □ {hr' = if hr = 12 then 1 else hr -I- 1) 



( 1 ) 
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This is a temporal formula, meaning that it is true or false of a behavior. A 
state predicate like /tr € {1, . . . , 12} is true for a behavior iff it is true in the first 
state. A formula of the form dN asserts that the action N holds on all steps of 
the behavior. 

By introducing the operator □, we have left the realm of everyday mathe- 
matics and entered the world of temporal logic. Temporal logic is more compli- 
cated than ordinary mathematics. Having a single formula as our mathematical 
description is worth the extra complication. However, we should use temporal 
reasoning as little as possible. In any event, temporal logic formulas are still 
much easier to reason about than programs in a pseudo-programming language. 



Stuttering Before adopting (1) as our mathematical description of the hour 
clock, we ask the question, what is a state? For a simple clock, the obvious 
answer is that a state is an assignment of values to the variable hr. What about 
a railroad station with a clock? To model a railroad station, we would use a 
number of additional variables, perhaps including a variable sig to record the 
state of a particular signal in the station. One possible behavior of the system 
might be 



hr = 11 




'hr = 12 




hr = 


12 


sig = “red” 




sig = “red” 




sig = 


“green” 



'hr = 12 




hr = 1 


sig = “red” 




sig = “red” 



We would expect our description of a clock to describe the clock in the railroad 
station. However, formula (1) doesn’t do this. It asserts that hr is incremented 
in every step, but the behavior of the railroad station with clock includes steps 
like the second and third, which change sig but leave hr unchanged. 

To write a single description that applies to any clock, we let a state consist 
of an assignment of values to all possible variables. In mathematics, the equation 
X + y = 1, doesn’t assert that there is no . 2 . It simply says nothing about the 
value oi z. In other words, the formula a: -I- ?/ = 1 is not an assertion about some 
universe containing only x and ?/. It is an assertion about a universe containing 
X, y, and all other variables; it constrains the values of only the variables x 
and y. 

Similarly, a mathematical formula that describes a clock should be an asser- 
tion not about the variable hr, but about the entire universe of possible variables. 
It should constrain the value only of hr and should allow arbitrary changes to 
the other variables — including changes that occur while the value of hr stays the 
same. We obtain such a formula by modifying (1) to allow “stuttering” steps 
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that leave hr unchanged, obtaining: 



A /tre 12} (2) 

/ V hr' = if hr = 12 then 1 else hr + l\ 

° }v hr' = hr ) 

Clearly, every next-state relation we write is going to have a disjunct that leaves 
variables unchanged. So, it’s convenient to introduce the notation that [A]^ 
equals Ay {v' = v), where v' is obtained from the expression v by priming 
all its free variables. We can then write (2) more compactly as 

A /jr G {1,...,12} (3) 

A 0[hr' = if hr = 12 then 1 else hr + l]hr 

This formula allows behaviors that stutter forever, such as 

[hr = 11] — )■ [hr = 12] [hr = 12] [hr = 12] ■ ■ ■ 

Such a behavior describes a stopped clock. It illustrates that we can assume all 
behaviors are infinite, because systems that halt are described by behaviors that 
end with infinite stuttering. But, we usually want our clocks not to stop. 

Fairness To describe a clock that doesn’t stop, we must add a conjunct to (3) 
to rule out infinite stuttering. Experience has shown that the best way to write 
this conjunct is with fairness formulas. There are two types of fairness, weak 
and strong, expressed with the WF and SF operators that are defined as follows. 

WF„(^) If ^ A (v' ^ v) is enabled forever, then infinitely many A A (v' ^ v) 
steps must occur. 

SF„(^) If AA{v' ^ v) is enabled infinitely often, then infinitely many AA{v' ^ 
v) steps must occur. 

The v' ^ V conjuncts make it impossible to use WF or SF to write a formula 
that rules out finite stuttering. 

We can now write our description of the hour clock as the formula 17, defined 

by 

N = hr' = if hr = 12 then 1 else hr + 1 
n = (hr G 12}) A a[N]nr A WFnr(N) 

The first two conjuncts of U (which equal (3)), express a safety property. In- 
tuitively, a safety property is characterized by any of the following equivalent 
conditions. 

— It asserts that the system never does something bad. 

— It asserts that the system starts in a good state and never takes a wrong 
step. 
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— It is finitely refutable — if it is violated, then it is violated at some particular 
point in the behavior. 

The last conjunct of U (the WF formula) is an example of a liveness property. 
Intuitively, a liveness property is characterized by any of the following equivalent 
conditions. 

— It asserts that the system eventually does something good. 

— It asserts that the system eventually takes a good step. 

— It is not finitely refutable — it is possible to satisfy it after any finite portion 
of the behavior. 

Formal definitions of safety and liveness are due to Alpern and Schneider [4] . 

Safety properties are proved using only ordinary mathematics (plus a couple 
of lines of temporal reasoning). Liveness properties are proved by combining 
temporal logic with ordinary mathematics. Here, we will mostly ignore liveness 
and concentrate on safety properties. 

3.3 An Hour-Minute Clock 

The Internal Specification It is now straightforward to describe a clock with 
an hour and minute display. The two displays are represented by the values of 
the variables hr and min. To make the specification more interesting, we describe 
a clock in which the two displays don’t change simultaneously when the hour 
changes. When the display changes from 8:59 to 9:00, it transiently reads 8:00 
or 9:59. Since we are ignoring the actual times at which state changes occur, 
these transient states are no different from the states when the clock displays 
the “correct” time. 

Figure 1 defines a formula # that describes the hour-minute clock. It uses an 
additional variable ehg that equals true when the display is in a transient state. 
Action Mm describes the changing of min; action describes the changing 
of hr. The testing and setting of ehg by these actions is a bit tricky, but a 
little thought reveals what’s going on. Action Mh introduces a gratuitous bit 
of cleverness to remove the if /then construct from the specification of the new 
value of hr. The next-state relation for the hour-minute clock is V 
because a step of the clock increments either min or hr. Since {hr, min ehg)' 
equals {hr' , min' , ehg'), it equals {hr, min, ehg) iff hr, min, and, ehg are all 
unchanged. 

Existential Qnantification Formula # of Figure 1 contains the free variables 
hr, min, and ehg. However, the description of a clock should mention only hr and 
min, not ehg. We need to “hide” ehg. In mathematics, hiding means existential 
quantification. The formula 3x : y = asserts that there is some value of 
X that makes y = x“^ true; it says nothing about the actual value of x. The 
formula describing an hour-minute clock is 3 ehg : #. The quantifier 3 is a 
temporal operator, asserting that there is a sequenee of values of ehg that makes 
# true. The precise definition of 3 is a bit subtle and can be found in [9]. 
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Init$ = A /tr e {1, . . . , 12} 

A min € {0, . . . , 59} 

A chg = FALSE 

Mm = A = 0) A chg) 

A min' = (min + 1) mod 60 
A chg' = (min = 59) A ^chg 
A hr' = hr 

Mfi = A V (min = 59) A ^chg 
V (min = 0) A chg 
A hr' = (hr mod 12) + 1 
A chg' = ^chg 
A min' = min 

# = A Init^ 

A V M)i)(^j^^ min,chg) 

A (^hr,min,chg){Mm V 111ft) 



Fig. 1. The internal specification of an hour-minute clock. 



3.4 Implementation and Implication 

An hour-minute clock implements an hour clock. (If we ask someone to build a 
device that displays the hour, we can’t complain if the device also displays the 
minute.) Every behavior that satisfies the description of an hour-minute clock 
also satisfies the description of an hour clock. Formally, this means that the 
formula (3 chg : #) => 17 is true. In mathematics, if something is true, we should 
be able to prove it. The rules of mathematics allow us to decompose the proof 
hierarchically. Here is the statement of the theorem, and the first two levels of 
its proof. (See [10] for an explanation of the proof style.) 

Theorem 1. (3 chg : #) => 71 

(1)1. # ^ 17 

(2)1. Init$ => /jr e {1, . . . , 12} 

(2)2. □[H7m ^ Mfi](^i^^ min,chg) ^ ^[A^jftr 
(2)3. # ^ WFft,(lV) 

(2)4. Q.E.D. 

Proof: By (2)l-(2)3 and the A-composition and act-stupid rules. 

(1)2. Q.E.D. 

Proof: By (1)1, the definition of #, and predicate logic^, since chg does 
not occur free in 17. 

^ We are actually reasoning about the temporal operator 3 rather than ordinary 
existential quantification, but it obeys the usual rules of predicate logic. 
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Let’s now go deeper into the hierarchical proof. The proof of {2)1 is trivial, 
since Init$ contains the conjunct hr € Proving liveness requires 

more temporal logic than we want to delve into here, so we will not show the 
proof of (2)3 or of any other liveness properties. We expand the proof of (2)2 
two more levels as follows. 

(2)2. □[Tfm V => 

(3)1. [M^VMh]^hr ,min,chg) ^ 

(4)1. ^ [N]hr 

(4)2. Mh ^ [N]hr 

(4)3. {{hr , min, dig)' = {hr , min , dig)) => [N]^^ 

(4)4. Q.E.D. 

Proof: By (4)l-(4)3 and the V-composition rule. 

(3)2. Q.E.D. ^ ^ ^ 

Proof: By (3)1 and the rule — ^ . 

^ aA^aB 

The proof of (4)1 is easy, since implies hr' = hr. The proof of (4)3 is equally 
easy. The proof of (4)2 looks easy enough. 

(4)2. Mh ^ [N]hr 

Proof: => hr' = {hr mod 12) + 1 

=> hr' = if hr = 12 then 1 else hr + 1 
= N 

However, this proof is wrong! The second implication is not valid. Eor example, 
if hr equals 25, then the first equation asserts hr' =2, while the second asserts 
hr' = 26. The implication is valid only under the additional assumption hr € 
{ 1 ,..., 12 }. 

Define Inv to equal the predicate hr £ {1, , 12}. We must show that Inv is 
true throughout the execution, and use that fact in the proof of step (4)2. Here 



are the top levels of the corrected proof. 




(1)1. # 


^ n 




(2)1. 


Init^ => /ir G {1, . . . , 12} 




(2)2. 


Init^ A V -^/i] ( ) 


=> OInv 


(2)3. 


n\lnv A V ^h] {hr, min, chg) 


^ a[N] 


(2)4. 


< 

□ 




(2)5. 


Q.E.D. 





Proof: By (2)l-(2)4, and the A-composition and act-stupid rules. 

(1) 2. Q.E.D. 

Proof: By (1)1, the definition of #, and predicate logic, since chg does not 
occur free in II. 

The high-level proofs of (2)2 and (2)3 are 

(2) 2. Init,/) A V => \I\Inv 

(3)1. Init,^ => Inv 

(3)2. Inv A V ^h\ {hr, min, chg) ^ 

(3)3. Q.E.D. P A 1^1 => P' 

Proof: By (3)1, (3)2 and the rule ^ . 

^ ^ PAa[A]^ ^ np 

(2)3. OInV A V Mh]{hr,min,chg) ^ 
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{3)1. Inv A [Mm V Mh](hr ,min,chg) ^ 

{3)2. Q.E.D. ^ ^ ^ 

Proof: By {3)1 and the rules — and □(^AB) = D^ADB. 

^ aA^aB ^ 

The further expansion of the proofs is straightforward and is left as an exercise 
for the diligent reader. 



3.5 Invariance and Step Simnlation 

The part of the proof shown above is completely standard. It contains all the 
temporal-logic reasoning used in proving safety properties. The formula Inv sat- 
isfying {2)2 is called an invariant. Substep {3)2 of step {2)3 is called proving 
step simulation. The invariant is crucial in this step and in step {2)4 (the proof 
of liveness). In general, the hard parts of the proof are discovering the invari- 
ant, substep {3)2 of step {2)2 (the crucial step in the proof of invariance), step 
simulation, and liveness. 

In our example, Inv asserts that the value of hr always lies in the correct set. 
Computer scientists call this assertion type eorreetness, and call the set of correct 
values the type of hr. Hence, Inv is called a type-correctness invariant. This is the 
simplest form of invariant. Computer scientists usually add a type system just 
to handle this particular kind of invariant, since they tend to prefer formalisms 
that are more complicated and less powerful than simple mathematics. 

Most invariants express more interesting properties than just type correct- 
ness. The invariant captures the essence of what makes an implementation cor- 
rect. Finding the right invariant, and proving its invariance, suffices to prove the 
desired safety properties of many concurrent algorithms. This is the basis of the 
first practical method for reasoning about concurrent algorithms, which is due 
to Ashcroft [5]. 



3.6 A Formula by any Other Name 

We have been calling formulas like # and II “descriptions” or “models” of a 
system. It is customary to call them speeifieations. This term is sometimes re- 
served for high-level description of systems, with low-level descriptions being 
called implementations. We make no distinction between specifications and im- 
plementations. They are all descriptions of a system at various levels of detail. 
We use the terms algorithm, description, model, and specification as different 
names for the same thing: a mathematical formula. 

4 Invariance in a Pseudo-Programming Language 

Invariance is a simple concept. We now show how a popular method for prov- 
ing invariance in terms of a pseudo-programming language is a straightforward 
consequence of the rules of mathematics. 
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4.1 The Owicki-Gries Method 

In the Owicki-Gries method [8, 11], the invariant is written as a program annota- 
tion. For simplicity, let’s assume a multiprocess program in which each process i 
in a set P of processes repeatedly executes a sequence of atomic instructions Sq \ 
. . . , The invariant is written as an annotation, in which each statement 

is preceded by an assertion as shown in Figure 2. 




Fig. 2. An Owicki-Gries style annotation of a process. 

To make sense of this picture, we must translate it into mathematics. We first 
rewrite each operation as an action, which we also call This rewriting is 
easy. For example, an assignment statement x : = a: -I- 1 is written as the action 
{x' = a: -I- 1) A ((. . .)' = {...)), where “. . . ” is the list of other variables. We 
represent the program’s control state with a variable pc, where pc\i] = j means 
that control in process i is immediately before statement . The program and 
its invariant are then described by the formulas U and Inv of Figure 3. 

We can derive the Owicki-Gries rules for proving invariance by applying the 
proof rules we used before. The top-level proof is: 

Theorem 2. (Owicki-Gries) U => □/ 

(1)1. Init => Inv 

(1)2. Inv A [A'](„(,;,pc) ^ Inv' 

(2)1. Inv A TV => Inv' 

(2)2. Inv A {{vbl, pc)' = {vbl, pc)) => Inv' 

(2)3. Q.E.D. 

Proof: By (2)1, (2)2, and the V-composition rule. 

(1)3. Q.E.D. 

Proof: By (1)1, (1)2, and the rule p ^ ^ ^p - 
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Init = A V j G P : pc[i\ = 0 

A . . . [The initial conditions on program variables.] 

= A pc[i\ = j 

A pc[i]' = (yj + 1) mod n 

AVfceP : {k ^ i) ^ {pc[k]' = pc{k\) 

N = 3 j G P, i G {0, . . . , n-1} : Gof A 

vbl = (...) [The tuple of all program variables.] 

n = Init A 

Inv = V j G P, j G {0, . . . , n-1} : (pc[i] = j) => 



Fig. 3. The formulas describing the program and annotation of Figure 2. 



The hard part is the proof of (2)1. We first decompose it using the V- and 
3 -composition rules. 



(2)1. Inv A IV => Inv' 

^A j G P 

(3)1. I Aj G {0,...,n-l} 



(4)1. 



A Inv A A S, 

/a j G P 
A j G {0, 

A A; G P 
A / G {0, 



:(i) 



.,n-l} 

.,n-l} 
A Inv A Gof A 



Inv' 



i(pc[k]' = 1) 






(4)2. Q.E.D. 

Proof: By (4)1, the definition of Inv, and the V -composition rule. 
(3)2. Q.E.D. 

Proof: By (3)1, the definition of TV, and the 3 -composition rule. 

We prove (4)1 by cases, after first using propositional logic to simplify its state- 
ment. We let j © 1 equal (j + 1) mod n. 



(4)1. 



\ 



^A j. A; G P 
A G {0,...,n-l} 

A pc{k\' = I 
\a Inv A Gof A S']* 

(5)1. Case: i = k 
A j G P 

Aje {0,...,n-l} 






J 



( 6 ) 1 . 



.A A 






(6)2. Q.E.D. 

Proof: By (6)1, the level-(5) assumption, the definition of Inv, and 
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the act-stupid rule, since {pc[i]' = 1) A implies {I = j (B 1). 

{5)2. Case: i ^ k 

/A i,k eP \ 

(6)1. \Aj,le {0,...,n-l} ^ (ApV 

J 

(6)2. Q.E.D. 

Proof: By (6)1, the level-(5) assumption, the definition of Inv, and 
the act-stupid rule, since {pc[k]' = 1) A implies {pc[k] = 1), for 

k ^ i, and {pc[k] = 1) A Inv implies 

We are finally left with the two subgoals numbered (6)1. Summarizing, we see 
that to prove Init => Ulnv, it suffices to prove the two conditions 

^ {>!«.)■ 

4‘a.4‘“aS,''' => {.4i‘>)' 

for all j, A; in P with i ^ k, and all j, I in {0, . . . , n — 1}. These conditions are 
called Sequential Correetness and Interferenee Freedom, respectively. 

4.2 Why Bother? 

We now consider just what have has been accomplished by describing by proving 
invariance in terms of a pseudo-programming language instead of directly in 
mathematics. 

Computer scientists are quick to point out that using “ : =” instead of “=” 
avoids the need to state explicitly what variables are left unchanged. In prac- 
tice, this reduces the length of a specification by anywhere from about 10% (for 
a very simple algorithm) to 4% (for a more complicated system) . For this minor 
gain, it introduces the vexing problem of figuring out exactly what variables 
can and cannot be changed by executing x ■.= x + 1- The obvious requirement 
that no other variable is changed would not allow us to implement x as the sum 
Ih * 2^^ -I- rh of two 32-bit values, since it forbids Ih and rh to change when x is 
incremented. The difficulty of deciding what can and cannot be changed by an 
assignment statement is one of the things that makes the semantics of program- 
ming languages (both real and pseudo) complicated. By using mathematics, we 
avoid this problem completely. 

A major achievement of the Owicki-Gries method is eliminating the explicit 
mention of the variable pe. By writing the invariant as an annotation, one can 
write instead of {pe[i] = j) => At the time, computer scientists seemed 
to think that mentioning pe was a sin. However, when reasoning about a concur- 
rent algorithm, we must refer to the control state in the invariant. Owicki and 
Gries therefore had to introduce dummy variables to serve as euphemisms for 
pe. When using mathematics, any valid formula of the form Init A □[AV]« => DP, 
for a state predicate P, can be proved without adding dummy variables. 

One major drawback of the Owicki-Gries method arises from the use of the 
act-stupid rule in the proofs of the two steps numbered (6)2. The rule was applied 
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without regard for whether the hypotheses being ignored are useful. This means 
that there are annotations for which step (2)1 (which asserts N Alnv => Inv') is 
valid but cannot be proved with the Owicki-Gries method. Such invariants must 
be rewritten as different, more complicated annotations. 

Perhaps the thing about the Owicki-Gries method is that it obscures the 
underlying concept of invariance. We refer the reader to [6] for an example of 
how complicated this simple concept becomes when expressed in terms of a 
pseudo-programming language. In 1976, the Owicki-Gries method seemed like a 
major advance over Ashcroft’s simple notion of invariance. We have since learned 
better. 

5 Refinement 

5.1 Refinement in General 

We showed above that an hour-minute clock implements an hour clock by proving 
(3 chg : #) => 77. That proof does not illustrate the general case of proving that 
one specification implements another because the higher-level specification U 
has no internal (bound) variable. The general case is covered by the following 
proof outline, where x, y, and denote arbitrary tuples of variables, and the 
internal variables y and of the two specifications are distinct from the free 
variables x. The proof involves finding a function /, which is called a refinement 
mapping [1]. 

Theorems. (Refinement) (3 y : ${x,y)) ^ {3 z : II{x,z)) 

Let: T = f(x,y) 

(1)1. ^{x,y) ^ n{x,z) 

(1)2. ^{x,y) {3 z : n{x,z)) 

Proof: By (1)1 and predicate logic, since the variables of are distinct 
from those of x. 

The proof of step (1)1 has the same structure as in our clock example. 

5.2 Hierarchical Refinement 

In mathematics, it is common to prove a theorem of the form P => Q by in- 
troducing a new formula R and proving P ^ R and R ^ Q. We can prove 
that a lower-level specification 3y : ^{x,y) implies a higher-level specification 
3 z : n(x,z) by introducing an intermediate-level specification 3w :^(x,w) and 
using the following proof outline. 

Let: 'P{x, w) = ... 

(1)1. {3y : ${x,y)) {3 w : ^{x,w)) 

Let: wJ = g(x, y) 

(1)2. {3w : ^{x,w)) => {3z : II{x,z)) 
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Let: 2 = h{x, w) 



(1)3. Q.E.D. 

Proof: By (1)1 and (1)2. 

This proof method is called hierarchical decomposition. It’s a good way to explain 
a proof. By using a sequence multiple intermediate specifications, each differing 
from the next in only one aspect, we can decompose the proof into conceptually 
simple steps. 

Although it is a useful pedagogical tool, hierarchical decomposition does 
not simplify the total proof. In fact, it usually adds extra work. Hierarchical 
decomposition adds the task of writing the extra intermediate-level specification. 
It also restricts how the proof is decomposed. The single refinement mapping / in 
the outline of the direct proof can be defined in terms of the two mappings g and 
h of the hierarchical proof by f{x, y) = h{x, g{x, y)). The steps of a hierarchical 
proof can then be reshuffled to form a particular way of decomposing the lower 
levels of the direct proof. However, there could be better ways to decompose 
those levels. 

5.3 Interface Refinement 

We have said that implementation is implication. For this to be true, the two 
specifications must have the same free variables. If the high-level specification 
describes the sending of messages on a network whose state is represented by 
the variable net, then the low-level specification must also describe the sending 
of messages on net. 

We often implement a specification by refining the interface. For example, 
we might implement a specification E{net) of sending messages on net by a 
specification A{tran) of sending packets on a “transport layer” whose state is 
represented by a variable tran. A single message could be broken into multiple 
packets. Correctness of the implementation cannot mean validity of A{tran) => 
E{net), since A{tran) and E{net) have different free variables. 

To define what it means for A(tran) to implement E(net), we must first define 
what it means for sending a set of packets to represent the sending of a message. 
This definition is written as a temporal formula R{net, trans), which is true of 
a behavior iff the sequence of values of trans represents the sending of packets 
that correspond to the sending of messages represented by the sequence of values 
of net. We call R an interface refinement. For i? to be a sensible interface re- 
finement, the formula A(trans) => 3 net : R(net, trans) must be valid, meaning 
that every set of packet transmissions allowed by A{trans) represents some set 
of message transmissions. We say that A{tran) implements E{net) under the 
interface refinement R(net, trans) iff A(tran) A R(net, trans) implies E(net). 

6 Decomposing Specifications 

Pseudo-programming languages usually have some parallel composition opera- 
tor II, where S'i||S '2 is the parallel composition of specifications and S 2 . We 
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observed in our hour-clock example that a mathematical specification does 
not describe only a particular system; rather, it describes a universe containing 
(the variables that represent) the system. Composing two systems means en- 
suring that the universe satisfies both of their specifications. Hence, when the 
specifications and S 2 are mathematical formulas, their composition is just 
S1AS2. 



6.1 Decomposing a Clock into its Hour and Minute Displays 

We illustrate how composition becomes conjunction by specifying the hour- 
minute clock as the conjunction of the specifications of an hour process and 
a minute process. It is simpler to do this if each variable is modified by only 
one process. So, we rewrite the specification of the hour-minute clock by replac- 
ing the variable chg with the expression chgk 7 ^ chgm, where chgk and chgm 
are two new variables, chgk being modified by the hour process and chgm by 
the minute process. The new specification is 3 chg^, chgm ■ where ^ is de- 
fined in Figure 4. Proving that this specification is equivalent to 3 chg : #, 



Initip = A hr £ {1, , 12} 

A min € {0, . . . , 59} 

A chgm = chgk = true 

Nm = A ^{{min = 0) A {chgm 7^ chgk)) 

A min' = (min + 1) mod 60 
A chg'm = if min = 59 then -ichgm else chgk 
A {hr, chgk)' = {hr, chgk) 

Nk = A \/ (min = 59) A {chgm = chgk) 

V {min = 0) A {chgm 7^ chgk) 

A hr' = {hr mod 12) -|- 1 
A chg'^ = ^chgk 
A {min, chgm )' = {min, chgm ) 

Cp = A Init^ 

A ^ ^ h]{kr, min, chgm, chgk) 

A min, chgm, chgn ) {^ m V ^ h) 



Fig. 4. Another internal specification of the hour-minute clock. 



where # is defined in Figure 1, is left as a nice exercise for the reader. The 
proof that 3 chgk, chgm ■ ^ implies 3 chg : # uses the refinement mapping 
chg = {chgk 7^ chgm)- The proof of the converse implication uses the refine- 
ment mapping 



chgk = 






A 



chg A {min = 59) 



chg A {min = 0) 
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The specifications and of the hour and minute processes appear in Fig- 
ure 5. We now sketch the proof that ^ is the composition of those two specifi- 



Initm = A min € {0, . . . , 59} 

A chgm = TRUE 

Inith = A hr G {1, , 12} 

A chgk = TRUE 

— Inith A h](^hr, chgh) {hr, chgh)i^ h) 

A rn\{min, chgm) {min, chgm)^^ rn^ 

Fig. 5. Definition of the specifications Hh and ■ 



cations. 

Theorem4. 1/ = UrnAHh 
(1)1. Initxp = InitmAlnith 

( 1 ) 2 . m ^ H h]{hr, min, chgm, chgh) — m]{min, chgm) ^ h]{hr, chgt,) 

(2)1. [TV 

m ^ ^ h]{hr, min, chgm, chgh) ^ [TV 

m]{min,chgrn) ^ h]{hr, chgi,) 

(2)2. Q.E.D. 

Proof: By (2)1 and the rules and UiA A B) = UA A OB. 

' ' OA^OB 

(1)3. A^ ^ A 

A'PmA'Ph {hr, min, chgm, chgh)i^ m ^ n h) 

(1)4. Q.E.D. 

Proof: By (1)1-(1)3. 

Ignoring liveness (step (1)3), the hard part is proving (2)1. This step is an 
immediate consequence of the following propositional logic tautology, which we 
call the V A rule. 

^i A U i) ^ {Vj = Vj) for 1 < i,j < n 
[Niy ...y Nn]{r,,...,v„) = [TVi]„, A . . . A [TV„]„„ 

Its proof is left as an exercise for the reader. 

6.2 Decomposing Proofs 

In pseudo-programming language terminology, a compositional proof of refine- 
ment (implementation) is one performed by breaking a specification into the 
parallel composition of processes and separately proving the refinement of each 
process. 

The most naive translation of this into mathematics is that we want to prove 
A ^ E hy writing iT as iTi A S 2 and proving A ^ E\ and A ^ E^ sepa- 
rately. Such a decomposition accomplishes little. The lower-level specification 
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A is usually much more complicated than the higher-level specification U, so 
decomposing U is of no interest. 

A slightly less naive translation of compositional reasoning into mathematics 
involves writing both A and U as compositions. This leads to the following proof 
ofA^S. 

(1)1. A A = Ai AA2 
A AJ = AJi A Aj 2 
Proof: Use the V -H- A rule. 

( 1 ) 2 . Ai ^ Si 

(1)3. A2 => S2 
(1)4. Q.E.D. 

Proof: By (1)1-(1)3 and the A-composition and act-stupid rules. 

The use of the act-stupid rule in the final step tells us that we have a problem. 
Indeed, this method works only in the most trivial case. Proving each of the im- 
plications Tj => T’j requires proving A, => Inv, for some invariant Inv,. Except 
when each process accesses only its own variables, so there is no communication 
between the two processes, Invi will have to mention the variables of both pro- 
cesses. As our clock example illustrates, the next-state relation of each process’s 
specification allows arbitrary changes to the other process’s variables. Hence, A* 
can’t imply any nontrivial invariant that mentions the other process’s variables. 
So, this proof method doesn’t work. 

Think of each process A* as the other process’s environment. We can’t prove 
Aj => T’j because it asserts that A* implements Ei in the presence of arbitrary 
behavior by its environment — that is, arbitrary changes to the environment vari- 
ables. No real process works in the face of completely arbitrary environment 
behavior. 

Our next attempt at compositional reasoning is to write a specification E* 
of the assumptions that process i requires of its environment and prove A* A 
Ei => Ei. We hope that one process doesn’t depend on all the details of the 
other process’s specification, so Ei will be much simpler than the other process’s 
specification A2_j. We can then prove A => A’ using the following propositional 
logic tautology. 

Ai A A2 E\ Ai A A2 E2 

Ai A E\ => El A2 A E2 E2 

Ai A A2 El A E2 

However, this requires proving A => Ej, so we still have to reason about the 
complete lower-level specification A. What we need is a proof rule of the following 
form 

El A E2 El El A E2 E2 (4) 

Ai A El => El A2 A E2 E2 

Ai A A2 El A E2 

In this rule, the hypotheses A => E* of the previous rule are replaced by A’ => E*. 
This is a great improvement because E is usually much simpler than A. A rule 
like (4) is called a deeomposition theorem. 
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Unfortunately, (4) is not valid for arbitrary formulas. (For example, let the 
Ai equal true and all the other formulas equal false.) Roughly speaking, (4) 
is valid if all the properties are safety properties, and if Ei and Ei modify 
disjoint sets of variables, for each i. A more complicated version of the rule 
allows the A* and A’* to include liveness properties; and the condition that A’* 
and Ei modify disjoint sets of variables can be replaced by a weaker, more 
complicated requirement. Moreover, everything generalizes from two conjuncts 
to n in a straightforward way. All the details can be found in [2] . 



6.3 Why Bother? 

What have we accomplished by using a decomposition theorem of the form (4)? 
As our clock example shows, writing a specification as the conjunction of n 
processes rests on an equivalence of the form 

□ [TVi V . . . V = □[7Vi]„j A . . . A 

Replacing the left-hand side by the right-hand side essentially means changing 
from disjunctive normal form to conjunctive normal form. In a proof, this re- 
places V-composition with A-composition. Such a trivial transformation is not 
going to simplify a proof. It just changes the high-level structure of the proof 
and rearranges the lower-level steps. 

Not only does this transformation not simplify the final proof, it may add 
extra work. We have to invent the environment specifications Ei, and we have 
to check the hypotheses of the decomposition theorem. Moreover, handling live- 
ness can be problematic. In the best of all possible cases, the specifications Ei 
will provide useful abstractions, the extra hypotheses will follow directly from 
existing theorems, and the decomposition theorem will handle the liveness prop- 
erties. In this best of all possible scenarios, we still wind up only doing exactly 
the same proof steps as we would in proving the implementation directly without 
decomposing it. 

This form of decomposition is popular among computer scientists because 
it can be done in a pseudo-programming language. A conjunction of complete 
specifications like A\ A A^ corresponds to parallel composition, which can be 
written in a PPL as A\ \\A 2 - The PPL is often sufficiently inexpressive that all the 
specifications one can write trivially satisfy the hypotheses of the decomposition 
theorem. For example, the complications introduced by liveness are avoided if 
the PPL provides no way to express liveness. 

Many computer scientists prefer to do as much of a proof as possible in 
the pseudo-programming language, using its special-purpose rules, before be- 
ing forced to enter the realm of mathematics with its simple, powerful laws. 
They denigrate the use of ordinary mathematics as mere “semantic reasoning”. 
Because mathematics can so easily express the underlying semantics of a pseudo- 
programming language, any proof in the PPL can be translated to a semantic 
proof. Any law for manipulating language constructs will have a counterpart 
that is a theorem of ordinary mathematics for manipulating a particular class of 
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formulas. Mathematics can also provide methods of reasoning that have no coun- 
terpart in the PPL because of the PPL’s limited expressiveness. For example, 
because it can directly mention the control state, an invariance proof based on 
ordinary mathematics is often simpler than one using the Owicki-Gries method. 

Many computer scientists believe that their favorite pseudo-programming 
language is better than mathematics because it provides wonderful abstrac- 
tions such as message passing, or synchronous communication, or objects, or 
some other popular fad. For centuries, bridge builders, rocket scientists, nuclear 
physicists, and number theorists have used their own abstractions. They have 
all expressed those abstractions directly in mathematics, and have reasoned “at 
the semantic level”. Only computer scientists have felt the need to invent new 
languages for reasoning about the objects they study. 

Two empirical laws seem to govern the difficulty of proving the correctness of 
an implementation, and no pseudo-programming language is likely to circumvent 
them: (1) the length of a proof is proportional to the product of the length of the 
low-level specification and the length of the invariant, and (2) the length of the 
invariant is proportional to the length of the low-level specification. Thus, the 
length of the proof is quadratic in the length of the low-level specification. To 
appreciate what this means, consider two examples. The specification of the lazy 
caching algorithm of Afek, Brown, Merritt [3], a typical high-level algorithm, 
is 50 lines long. The specification of the cache coherence protocol for a new 
computer that we worked on is 1900 lines long. We expect the lengths of the two 
corresponding correctness proofs to differ by a factor of 1500. 

The most effective way to reduce the length of an implementation proof is to 
reduce the length of the low-level specification. A specification is a mathematical 
abstraction of a real system. When writing the specification, we must choose the 
level of abstraction. A higher-level abstraction yields a shorter specification. 
But a higher-level abstraction leaves out details of the real system, and a proof 
cannot detect errors in omitted details. Verifying a real system involves a tradeoff 
between the level of detail and the size (and hence difficulty) of the proof. 

A quadratic relation between one length and another implies the existence of 
a constant factor. Reducing this constant factor will shorten the proof. There are 
several ways to do this. One is to use better abstractions. The right abstraction 
can make a big difference in the difficulty of a proof. However, unless one has 
been really stupid, inventing a clever new abstraction is unlikely to help by more 
than a factor of five. Another way to shorten a proof is to be less rigorous, which 
means stopping a hierarchical proof one or more levels sooner. (For real systems, 
proofs reach a depth of perhaps 12 to 20 levels.) Choosing the depth of a proof 
provides a tradeoff between its length and its reliability. There are also silly ways 
to reduce the size of a proof, such as using small print or writing unstructured, 
hand- waving proofs (which are known to be completely unreliable). 

Reducing the constant factor still does not alter the essential quadratic nature 
of the problem. With systems getting ever more complicated, people who try 
to verify them must run very hard to stay in the same place. Philosophically 
motivated theories of compositionality will not help. 
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6.4 When a Decomposition Theorem is Worth the Bother 

As we have observed, using a decomposition theorem can only increase the total 
amount of work involved in proving that one specification implements another. 
There is one case in which it’s worth doing the extra work: when the computer 
does a lot of it for you. If we decompose the specifications A and U into n 
conjuncts A* and A’*, the hypotheses of the decomposition theorem become 
E ^ Ei and Ai A Ei ^ Ei, for j = 1, . . . , n. The specification A is broken into 
the smaller components A*. Sometimes, these components will be small enough 
that the proof of A* Ai?* => E^ can be done by model checking — using a computer 
to examine all possible equivalence classes of behaviors. In that case, the extra 
work introduced by decomposition will be more than offset by the enormous 
benefit of using model checking instead of human reasoning. An example of such 
a decomposition is described in [7]. 

7 Composing Specifications 

There is one situation in which compositional reasoning cannot be avoided: when 
one wants to reason about a component that may be used in several different 
systems. 

The specifications we have described thus far have been complete-system 
specifications. Such specifications describe all behaviors in which both the system 
and its environment behave correctly. They can be written in the form S A E, 
where S describes the system and E the environment. For example, if we take 
the component to be our clock example’s hour process, then S is the formula 
and E is (The hour process’s environment consists of the minute process.) 

If a component may be used in multiple systems, we need to write an open- 
system specification — one that specifies the component itself, not the complete 
system containing it. Intuitively, the component’s specification asserts that it 
satisfies S if the environment satisfies E. This suggests that the component’s 
open-system specification should be the formula E ^ S. This specification allows 
behaviors in which the system misbehaves, if the environment also misbehaves. It 
turns out to be convenient to rule out behaviors in which the system misbehaves 
first. (Such behaviors could never be allowed by a real implementation, which 
cannot know in advance that the environment will misbehave.) We therefore 
take as the specification the formula E ^ S, which is satisfied by a behavior in 
which S holds as long as E does. The precise definition of ^ and the precise 
statement of the results about open-system specifications can be found in [2] . 

The basic problem of compositional reasoning is showing that the composi- 
tion of component specifications satisfies a higher-level specification. This means 
proving that the conjunction of specifications of the form E ^ S implies another 
specification of that form. For two components, the proof rule we want is: 

E A Si A S 2 => E 1 AE 2 AS 
{El io Si) A {E 2 ±c> S 2 ) ^ {E ±t>S) 
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Such a rule is called a composition theorem. As with the decomposition theorem 
(4), it is valid only for safety properties under certain disjointness assumptions; a 
more complicated version is required if S and the S'* include liveness properties. 

Composition of open-system specifications is an attractive problem, having 
obvious application to reusable software and other trendy concerns. But in 1997, 
the unfortunate reality is that engineers rarely specify and reason formally about 
the systems they build. It is naive to expect them to go to the extra effort of 
proving properties of open-system component specifications because they might 
re-use those components in other systems. It seems unlikely that reasoning about 
the composition of open-system specifications will be a practical concern within 
the next 15 years. Formal specifications of systems, with no accompanying verifi- 
cation, may become common sooner. However, the difference between the open- 
system specification E ^ M and the complete-system specification E A M is 
one symbol — hardly a major concern in a specification that may be 50 or 200 
pages long. 

8 Conclusion 

What should we do if faced with the problem of finding errors in the design of 
a real system? The complete design will almost always be too complicated to 
handle by formal methods. We must reason about an abstraction that represents 
as much of the design as possible, given the limited time and manpower available. 

The ideal approach is to let a computer do the verification, which means 
model checking. Model checkers can handle only a limited class of specifications. 
These specifications are generally small and simple enough that it makes lit- 
tle difference in what language they are written — conventional mathematics or 
pseudo-programming languages should work fine. For many systems, abstrac- 
tions that are amenable to model checking omit too many important aspects of 
the design. Human reasoning — that is, mathematical proof — is then needed. Oc- 
casionally, this reasoning can be restricted to rewriting the specification as the 
composition of multiple processes, decomposing the problem into subproblems 
suitable for model checking. In many cases, such a decomposition is not feasible, 
and mathematical reasoning is the only option. 

Any proof in mathematics is compositional — a hierarchical decomposition of 
the desired result into simpler subgoals. A sensible method of writing proofs will 
make that hierarchical decomposition explicit, permitting a tradeoff between 
the length of the proof and its rigor. Mathematics provides more general and 
more powerful ways of decomposing a proof than just writing a specification 
as the parallel composition of separate components. That particular form of 
decomposition is popular only because it can be expressed in terms of the pseudo- 
programming languages favored by computer scientists. 

Mathematics has been developed over two millennia as the best approach to 
rigorous human reasoning. A couple of decades of pseudo-programming language 
design poses no threat to its pre-eminence. The best way to reason mathemati- 
cally is to use mathematics, not a pseudo-programming language. 
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Abstract. This is not a paper about compositionality in itself, nor a 
general paper about mixing synchronous languages. We first recall that 
compositionality appears in three places in the definition of synchronous 
languages : 1) the synchrony hypothesis guarantees that the formal se- 
mantics of the language is compositional (in the sense that there exists 
an appropriate congruence) ; 2) programming environments offer sep- 
arate compilation, at various levels ; 3) the idea of using synchronous 
observers for describing the properties of a program provides a kind 
of assume/guarantee scheme, thus enabling compositional proofs. Then 
we take an example in order to illustrate these good properties of syn- 
chronous languages : the idea is to extend a dataflow language like Lus- 
tre with a construct that supports the description of running modes. 
We show how to use compositionality arguments when choosing the se- 
mantics of a such a mixed-style language. The technical part is taken 
from [MR98]. 



1 Introduction 

1.1 About compositionality 

The call for participation contains a definition of compositionality. It says: “Any 
method by which the properties of a system can be inferred from the properties 
of its constituents, without additional information about the internal structure 
of the constituents” . 

This implies the existence of two domains: the constituents of systems, and 
their properties. The relationship between these two domains is a function that 
associates properties to constituents. Constituents may be composed in order to 
form bigger systems; properties may be combined so that another property is 
inferred from a set of already given ones. 

Moreover, “without additional information about the internal structure of the 
constituents” clearly states that the function that associates the properties to a 
constituent is non injective. Hence there exist two distinct systems having the 
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same “properties” . Having the same properties defines an equivalence of systems. 
And in any context where objects may be composed and declared equivalent, it 
is of a particular interest that the equivalence be a congruence for the available 
compositions. This scheme may be instanciated in a number of ways. 

1.2 Compositionality and logical properties 

One instance is given by associating logical properties to systems. In this case, 
two problems are of interest: 

— Given a program P, which is the composition of two “constituents” Pi and 
P2 — i.e. P = op{Pi, P2) — , and a property ^ we want to prove for P, how 
to find a property ^1 holding for Pi, and a property ^2 holding for P2, such 
that we can logically “infer” ^ from ^1 and ^2 ? 

— Given properties of the program constituents, how can we combine them 
into a property of the global program (depending on the way constituents 
are composed)? 

1.3 Compositionality, separate compilation and linkers 

Another instance of the general scheme is given by separate compilation and 
linking. 

If the system we consider is a program, written in a classical sequential lan- 
guage, and we call “properties” the object code generated by a compiler, then 
the general scheme for compositionality describes separate compilation and link- 
editing. Everybody knows that the executable code of a program written as a set 
of C source files (or modules) can be built from the set of separately compiled 
object files, without additional information about the internal structure of the 
C files. The intermediate form contains all information needed in order to merge 
to objects codes produced by compiling two source programs. In sequential lan- 
guages like C, merging consists in putting together the definition of a function 
(or procedure) and all the calls to this function, which may appear in different 
source files. Merging is performed according to the names of the objects. Hence 
the intermediate object code must contain information about names. This symbol 
table is clearly something that is not needed any more in the executable code 
one wants to obtain at the end. 

In this case “ Composition” is the concatenation of source files (provided they 
do not define the same global objects) ; “infer’' is the linking process. 

This instance of the general scheme has the congruence property: there is no 
context that would allow to distinguish between two source files having the same 
objet code (this seems to be a very strong property, but one can define notions 
of equivalences for object code, that loosen the strict syntactic identity). 

1.4 Compositionality and Synchronous Languages 

In the whole process of designing, implementing and using a synchronous lan- 
guage [BB 91 ], compositionality appears in several places: definition of the formal 
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semantics; issues related to separate compilation; compositional proof of prop- 
erties. 



Compositional semantics The synchrony hypothesis, which states that the 
program can be considered to react in zero time, is the key point for the compo- 
sitionality of the semantics. Arguments are given in [BB91]. The idea is that a 
component may be replaced safely by the parallel composition of two components 
(for instance) without modifying the global reaction time, since 0 -F 0 = 0. This 
is illustrated in a very simple case in [Mar92]: the semantics of Argos is given 
by associating a single Boolean Mealy machine to an Argos program, which is 
a composition of several such machines (in parallel or hierarchically). The com- 
positionality of the semantics means that the usual equivalences that can be 
defined for Boolean Mealy machines (e.g. bisimulation) are indeed congruences 
for the operations of the language. 

Another important point for imperative synchronous languages is the notion 
of causality. It has long been considered as an intrinsically non compositional 
property of programs, meaning that, even if two components are causal, their 
parallel composition (with communication and potential feedback) is not neces- 
sarily causal. However, G. Berry gave a compositional definition of causality for 
Esterel [Ber95] and this notion can be adapted to other imperative synchronous 
languages like Argos [Mar92] . 



Separate compilation and linking for synchronous languages As far as 

the mixing of languages is concerned, the “linker” approach is the proper “multi- 
language” approach, in which each language involved has its own semantics 
and compiler, and there exists a common semantical model, which justifies the 
intermediate code format and the linking process. 

This has been used for ArgoLus [JLMR93,JLMR94], or, more recently, for 
Argos-bLustre via DC [MH96]. DC is the common target format for the com- 
pilers of Lustre, Esterel and Argos. The linking approach is also used in the 
Synchronic Workbench [SWB] (see paper by Axel Poigne and Leszek Holender- 
ski, same volume) 

Allowing separate compilation of one (or several) synchronous languages 
amounts to defining the appropriate intermediate form between source programs 
and target code. 

Synchronous languages all offer a notion of parallelism between components 
(be it explicit like in Esterel or Argos, or implicit like in Lustre and Signal). On 
the contrary, the target code is purely sequential. Hence a scheduling operation 
has to be performed somewhere between source programs and target code. 

Choosing the appropriate intermediate form for separate compilation has a 
lot to do with this scheduling phase. In the DC format, the scheduling is not al- 
ready performed, hence programs still have a parallel structure (DC is a dataffow 
language, hence the parallelism is intrinsic between nodes). The linking process, 
when performed at the DC level, consists in connecting several dataffow net- 
works together. The scheduling phase is then performed globally on the linked 




Compositionality Criteria for Defining Mixed Styles Synchronous Languages 427 



DC program, when translating DC into C, JAVA, or ADA sequential code (see 
paper by Albert Benveniste, Paul Le Guernic and Pascal Aubry, same volume) 
for details on the separate compilation of Signal programs, where the interme- 
diate form is already (partially) scheduled. 



Compositional proofs In the framework of synchronous languages, verifica- 
tion of safety properties is done using synchronous observers [HLR93]. Moreover, 
since synchronous languages are indeed programming languages for reactive sys- 
tems, they all offer the explicit distinction between inputs and outputs. Therefore, 
the verification process always takes into account some assumptions about the 
environment. The classical verification scheme is the following: 




Fig. 1. verification with synchronous observers 



The assumption on the behaviour of the environment is a synchronous pro- 
gram, which recognizes the correct sequences of inputs (assumptions do not need 
to be instantaneous. One can express, for instance, that two Boolean inputs al- 
ternate. Hence the assumption can have memory). As soon as the inputs become 
unrealistic, the output realistic is false, and remains false forever. The safety 
property is also encoded by a synchronous program that observes the inputs and 
outputs of the program to be verified, and outputs a single Boolean value ok. The 
key point is that observing a program does not modify its behaviour. This is pos- 
sible because the components of synchronous programs communicate with each 
other by synchronous broadcast, which is asymmetric: emission is non blocking, 
and receivers may be added without modifying the emitter (this is clearly not 
the case with rendez-vous communication for instance). The only constraint to 
be respected is that the output of the observer should not be connected to the 
input of the program (no feedback) . 

The three programs are connected together and the resulting program is 
compiled. The verification tool then has to prove (it can be done by enumerative 
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methods or symbolically) that, as long as the output realistic is true, the 
output ok is also true. 

This verification scheme allows to verify that a property (f> holds for a program 
P under the assumption -0 on the environment of P. Hence, verifying that a 
property 0 holds for a parallel program P\\Q can be divided into two tasks: 1) 
find a property %p holding for P, 2) prove that 0 holds for Q under assumption 

0 . 



1.5 Another way of mixing synchronons langnages 

In this paper, we investigate another approach for mixing synchronous languages. 
This approach is not “multi-language”, but rather “multi-style/single language”. 
It’s the approach taken in Oz [MMVR95] and a lot of so-called “multi-paradigm” 
languages, in which one can freely mix functional and imperative styles, con- 
straint or concurrent programming and objects, etc. Of course this makes sense 
only if there is a common semantical model, but one has to define the semantics 
of this new language, i.e., mainly, the way two contructs from different program- 
ming styles interact with each other. 

There is a particular case, when the new language is designed by mixing 
the constructs of two already existing languages, having their own semantics. In 
this case, one could reasonably hope that the new language is, in some sense, a 
“conservative” extension of each of the original languages. Meaning that, if one 
uses only the constructs from language A, in the mixing of A and B, then the 
new semantics coincides with the usual semantics of A. 

In this paper, we study the mixing of Lustre and Argos, and three criteria 
we used in defining the semantics of this mixed language. 



Overview of the paper 

Section 2 briefiy introduces the synchronous approach for the programming of 
reactive systems. Section 3 defines mini-Lustre, a small subset of Lustre which 
is sufficient for presenting our notion of mode-automaton, in which Lustre equa- 
tions are associated to the states of an Argos program (Section 4) . Section 5 lists 
three criteria for the semantics of these mode-automata, which are instances of 
the general compositionality scheme described above. Section 6 proposes two 
semantics of mode-automata, by translation into pure Lustre. Only one of them 
respects the criteria. Section 7 is the conclusion. 

2 The Synchronous Approach for Reactive Systems 

A reactive system has inputs and outputs. It reacts to inputs from what we 
call its environment, by sending outputs to it. The output that is sent to the 
environment at a given point in time may depend on the history of inputs, from 
the origin of time to the current instant. 
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In the synchronous approach, time is logical — the relation between this 
logical time and the physical time is not dealt with in the languages — and 
discrete. We can think of a sequence of instants, numbered with integers. A 
consequence of this notion of time is the ability to define the reaction of the 
system to the absence of some event in the environment. 

At each instant n, the system reacts to input by sending output On- In 
the general case, o„ = f{io, i-e. the current output depends on the whole 

history of inputs. 

Note that o„ may not depend on further inputs which represent the 

future; it may depend on i.e. the input at the same instant, which is called 
synchrony hypothesis [BG92]. 

The synchronous languages for reactive systems are restricted to systems 
for which the output at instant n depends on a bounded abstraction of the 
input history only. In other words, bounded-memory systems. In this case, o„ = 
f{io, where / is a function such that 3B. \ Image(/) |< B. And, of course, 

/ must be computable incrementally, which means: 

^h, f i^iQ, — hi^f (^0 ; •••Gn— l)Gn) 

This allows to consider that a reactive system is always an instance of a very 
simple program of the form: 

Initialize the memory M 
while true do 

Acquire input i 
Emit output o{M,i) 

Update the memory: M = h{M,i) 

The synchronous languages are designed for describing the reactive kernel of 
such a system, i.e. the output function o and the transition function h. 

Argos and Lustre have very different styles for that. Argos is based upon the 
explicit memory paradigm: a program is a Mealy machine, which means that 
states and transitions are given in extension. Operations of the language include 
parallel composition and hierarchic composition of Mealy machines communicat- 
ing by synchronous broadcast. 

Lustre is based upon the implicit memory paradigm. The transition function 
h and the output function o are described by sets of equations (without instan- 
taneous dependencies). The compiler is able to produce a Mealy machine from 
a Lustre program, if needed. 

3 Mini-Lustre: a (very) Small Subset of Lustre 

For the rest of the paper, we use a very small subset of Lustre. A program is a 
single node, and we avoid the complexity related to types as much as possible. In 
some sense, the mini-Lustre model we present below is closer to the DC [CS95] 
format used as an intermediate form in the Lustre, Esterel and Argos compilers. 
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Definition 1 (mini-Lustre programs). N = {Vi,Vo,Vi, f, I) where: 

Vi, Vo andVi are pairwise disjoint sets o/input, output anrf local variable names. 
I is a total funetion from Vo U Vi to eonstants. f is a total funetion from Vo U V; 
to the set Eq{Vi U Vo U V;) and Eq{V) is the set of expressions with variables in 
V, defined by the following grammar: e ::= c\x \ op{e,...,e) \ pre(x). c stands 
for eonstants, x stands for a name in V , and op stands for all eombinational 
operators. An interesting one is the eonditional if ei then 62 else es where 
ei should be a Boolean expression, and B 2 , 63 should have the same type. pre(x) 
stands for the previous value of the flow denoted by x. In ease one needs pre(x) 
at the first instant, I(x) should be used. 2 

We restrict mini-Lustre to integer and Boolean values. All expressions are as- 
sumed to be typed correctly. As in Lustre, we require that the dependency graph 
between variables be acyclic. A dependency of X onto Y appears whenever there 
exists an equation of the form X = ...Y... and Y does not appear inside a pre 
operator. In the syntax of mini-Lustre programs, it means that Y appears in the 
expression f{X), not in a pre operator. 

Definition 2 (Trace semantics of mini-Lustre). Eaeh variable name v in 
the mini-Lustre program deseribes a flow of values of its type, i.e. an infinite 
sequenee Uq, Ui , .... Given a sequenee of inputs, i.e. the values for eaeh v ^ Vi 
and eaeh n > 0 , we deseribe below how to eompute the sequenees (or traces^ of 
heal and output flows of the program. The initialization funetion gives values 
to variables for the instant “before time starts”, sinee it provides values in ease 
pre{x) is needed at instant 0. Henee we ean eall it x^i: 

Vu e Vo U V;. = I{v) 

For all instants in time, the value of an output or heal variable is eomputed 
aeeording to its definition as given by f : 

\fn >0. Vu e Vo U V;. Vn = f{v)[xn/x][xn-i/pre{x)] 

We take the expression f{v), in whieh we replaee eaeh variable name x by its 
eurrent value Xn, and eaeh oeeurrenee ofpre{x) by the previous value Xn-i. This 
yields an expression in whieh eombinational operators are applied to eonstants. 
The set of equations we obtain for defining the values of all the flows over time 
is aeyelie, and is a sound definition. 2 



Definition 3 (Union of mini-Lustre nodes). Provided they do not define the 
same outputs, i.e. V^ fl V^ = 0, we ean put together two mini-Lustre programs. 
This operation eonsists in eonneeting the outputs of one of them to the inputs 
of the other, if they have the same name. These eonneeting variables should be 
removed from the inputs of the global program, sinee we now provide definitions 
for them. This eorresponds to the usual dataflow eonneetion of two nodes. 
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m U VD \ Vi \ V^, Vi U Vi, V/ U Vf, 

\x.if X e Vi U V/ then f^(x) else P{x), 

Xx.if X e Vi then I^{x) else P{x)) 

Loeal variables should be disjoint also, but we ean assume that a renaming is 
performed before two mini-Lustre programs are put together. Henee V/ fl V^ = 0 
is guaranteed. The union of sets of equations should still satisfy the aeyelieity 
eonstraint. 2 



Definition 4 (Trace equivalence for mini-Lustre). Two programs Li = 
(Vj, Vo, V/, /^ , /^) and L 2 = (Vj, Vo, V^, /^, /^) having the same input/output 
interfaee are traee- equivalent (denoted by Li ~ L 2 ) if and only if they give the 
same sequenee of outputs when fed with the same sequenee of inputs. 

2 



Definition 5 (Trace equivalence for mini-Lustre with no initial spec- 
ification). We eonsider mini-Lustre programs without initial speeifieation, i.e. 
mini-Lustre programs without the funetion I that gives values for the flows “be- 
fore time starts”. Two sueh objeets L\ = (V*, Vo, V/ , /^) and L 2 = {Vi, Vo, V(, P) 
having the same input/output interfaee are traee- equivalent (denoted by L\ ~ L 2 ) 
if and only if, for all initial configuration I, they give the same sequenee of out- 
puts when fed with the same sequenee of inputs. 2 



Property 1 : Trace equivalence is preserved by union 



4 Proposal for a Mixed- Style Language 

4.1 Motivations 

We want to introduce running modes in a Lustre dataflow program, such that 
the switching of modes can be clearly identified, and described independently 
from the description of the modes. See [MR98] for a detailed introduction to the 
notion of running modes, and comparison with other works. 



4.2 Mode- Automata 

In [MR98] we propose a programming model called “ mode- automata” , made of: 
operations on automata taken from the definition of Argos [Mar92]; dataflow 
equations taken from Lustre [BCH+85]. 
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Fig. 2. Mode-automata: a simple example 



Example The mode-automaton of figure 2 describes a program that outputs 
an integer X. The initial value is 0. Then, the program has two modes: an in- 
crementing mode, and a decrementing one. Changing modes is done according 
to the value reached by variable X: when it reaches 10, the mode is switched to 
“decrementing”; when X reaches 0 again, the mode is switched to “increment- 
ing” . 



Definition For simplicity, we give the definition for a simple case where the 
equations define only integer variables. One could easily extend this framework 
to all types of variables. 

Definition 6 (Mode-automata). 

A mode- automaton is a tuple {Q,qo,Vi,Vo,I, f,T) where: 

— Q is the set of states of the automaton part 

— qo G Q is the initial state 

— Vi and Vo are sets of names for input and output integer variables. 

— T C Q X C{V) X Q is the set of transitions, labeled by conditions on the 
variables of V = Vi U Vo 

— X : Vo — > N is a funetion defining the initial value of output variables 

— f : Q — > Vo — > EqR defines the labeling of states by total funetions from 
Vo to the set EqR(Vj U Vo) of expressions that eonstitute the right parts of 
the equations defining the variables of Vo ■ 

The expressions in EqR(Vj U Vo) have the same syntax as in mini-Lustre nodes: 
e ::= c \ x \ op{e,...,e) \ pre{x), where c stands for eonstants, x stands for a 
name in Vi U Vo, and op stands for all eombinational operators. The eonditions 
in C{Vi U Vo) are expressions of the same form, but without pre operators; the 
type of an expression serving as a eondition is Boolean. 2 

Note that Input variables are used only in the right parts of the equations, or in 
the conditions. Output variables are used in the left parts of the equations, or in 
the conditions. 




Compositionality Criteria for Defining Mixed Styles Synchronous Languages 433 



We require that the automaton part of a mode-automaton be deterministic, 
i.e., for each state q G Q,ii there exist two outgoing transitions (q,ci,qi) and 
(q,C 2 ,q 2 ), then Ci A C 2 is not satisfiable. 

We also require that the automaton be reactive, i.e., for each state q £ Q, the 
formula V((;,c, 9 ')gt ^ 

With these definitions, the example of figure 2 is written as: 

{{A,B},A,$,{X},I:X ^0, 

f{A) = { X = pre(X) + 1 },f{B) = { X = pre(X) - 1 }), 

{(A,X = 10,B),{B,1 = 0,A),(A,X ^ 10,A),{B,1 ^ 0,B)}) 

In the graphical notation of the example, we omitted the two loops {A, X ^ 10, A) 
and (B, X ^ 0,B). 

5 Three Constraints on the Semantics, 

and the Associated Compositionality Criteria 

The purpose of this section is not to detail the semantics and implementation 
of mode-automata. Before defining this semantics, we established a list of its 
desirable properties, and it appears that they can be viewed as instances of the 
general compositionality scheme given in section 1.1 above. 

We could provide a new semantics, in any style. However, Lustre has a formal 
semantics in itself. Providing a translation of mode-automata into pure Lustre 
is therefore a simple way of defining their semantics. Section 6 defines the trans- 
lation function £. It gives a first translation, for which the properties hold. We 
also suggest another translation, for which one of the properties does not hold 
(section 6.3 below). 

5.1 Parallel Composition of Mode- Automata 

The question about parallel composition of mode-automata is an instance of the 
general compositionality scheme. Indeed: 

— Consider that mode-automata are the systems we are interested in, and the 
Lustre programs we obtain as their semantics are the “properties” . 

— Putting two Lustre programs “together” makes sense (see Definition 3) . This 
could be the “infer” process. 

— Then, how should we define a composition of two mode-automata (denoted 
by II) in such a way that the diagram commute? In other words, we should 
have: 

£(Mi\\M 2) = £.(Mi) U C(M2) 

See Section 6.2 for the definition of £ and Definition 3 for U. 

Provided Vg H Vg = 0, we define the parallel composition of two mode- 
automata by : 

(Q\qlT\Vl,Vll\n\\(Q\qlT\Vi,Vli:^,P) = 

{Q^ X (gi , g2), (pi u Vf) \ \ V^, U V^I, /) 
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Where: 



Similarly: 



,Q )[^) j otherwise, i.e. if W G 



J P(X) it X € Vl 
\i^{x) if w G 



I{X) = 

And the set T of global transitions is defined by: 

gTI A{q\C\q'^)€T^ {{q\q^),C^ AC\{q'\q'^)) &T 



5.2 Congruences of Mode- Automata 

We try to define an equivalence relation for mode-automata, which is a congru- 
ence for the parallel composition. There are essentially two ways of defining such 
an equivalence : 

— Either as a relation induced by the existing equivalence of Lustre programs 
(the trace equivalence) 

— Or by an explicit definition on the structure of mode-automata, inspired 
by the trace equivalence of automata. The idea is that, if two states have 
equivalent sets of equations, then they can be identified. 

Definition 7 (Induced equivalence of mode-automata). 

Ml =i M 2 4=^ C.{Mi) ~ jC{M 2 ) (see definition 4 for ^)- 2 



Definition 8 (Direct equivalence of mode-automata). The direet equiva- 
lenee is a bisimulation, taking the labeling of states into aeeount: 



{Q\qlT\V},Vl,T\f) =a {Q^qlT^ ,Vf ,Vll^ , f) 

3R C Rs sueh that: 

(ao,«o)e-R A 

(gi,ci,g'i) gTI ^ 3g'2,c2 s. t. (g2,c2,g'2) gT2 

A (g'i,g'2) G R 



(q\q^)&R 



Acf = (? 



and eonversely. 



Where Rg C x is the relation on states indueed by the equivalenee of the 
attaehed sets of equations: (q^,q‘^) G Rs 4=^ f^{q^) ~ (^oe definition 5 

for Ki). 2 



These two equivalences probably do not coincide (=, identifies more programs 
than =d), but both should be congruences for the parallel composition. 
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5.3 Argos or Lustre Expressed as Mode-automata 



The last question is the following: can the model of mode-automata be considered 
as a conservative extension of both Lustre and Argos? i.e., for a given Lustre 
program L, can we build a mode-automaton M such that jC{M) ~ L ; and, 
similarly, for a given Argos program A, can we build M such that £{M) ~ A? 
(the equivalence between a Lustre and an Argos program is the identity of the 
sets of input/ouput traces). 

The answer is trivial for Lustre: just build a single-state mode-automaton, 
and attach the whole Lustre program to the unique state. The semantics of 
mode-automata should ensure the property. 

For Argos, it is less trivial, since we have to transform the Mealy style (inputs 
and outputs on the transitions) into the mode-automaton style. The key point is 
that, in the imperative style of Argos (it would be the same for Esterel), outputs 
are supposed to be absent if nobody emits them; in the equationnal style of 
mode-automata (inherited from Lustre), all signal values have to be explicitly 
defined. 

Figure 3 gives an example. a,b,c,d are inputs, a and (3 are outputs, (a) 
is a Mealy machine (like the components of Argos programs), (b) is a mode- 
automaton that should have the same behaviour. Note that we obtain a partic- 
ular form of mode-automata, where the equations attached to states make no 
use of the pre operator. As expected, all the “memory” is encoded into states. 



(b) 

n a = d Ab 
(3 = a A c 

a Ac 

(} = a 
) a =false 



Fig. 3. Translating Argos into mode-automata 




The translation of full Argos is intended to be structural: for instance, for an 
Argos program P\\Q made of two Mealy machines P and Q, the corresponding 
mode-automata program should be the parallel composition oi Mp and Mq 
obtained respectively from the machines P and Q as described above. 
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6 A possible semantics 

6.1 Intuition 

The main idea is to translate the automaton structure into Lustre, in a very 
classical and straightforward way. Once the automaton structure is encoded, 
one has to relate the sets of equations to states. This is done by gathering all 
the sets of equations attached to states in a single conditional structure. 

We give a possible translation below. 

6.2 Translation into pure Lustre 

The function C associates a mini-Lustre program with a mode-automaton. We 
associate a Boolean local variable with each state in <5 = {qo,qi, ...,qn}, with 
the same name. Hence: 

mQ, qo,Vi,Vo,I, /, T)) = (Vi, Vo, Q, e, J) 

The initial values of the variables in Vo are given by the initialization function 2 
of the mode-automaton, hence \/x £ Vo, J(x) = X(x). For the local variables of 
the mini-Lustre program, which correspond to the states of the mode-automaton, 
we have: J(go) = true and J(q) = false, Vg ^ go- 
The equations of the mini-Lustre program are obtained by: 

for X g Vo,e(x) is the expression: for g g Q,e(q) is the expression: 

if go then /(go) V(,'.c.,)gt (g' A c) 

else if gi then /(gi) 

else if g„ then /(g„) 

The equation for a local variable g that encodes a state g expresses that we 
are in state g at a given instant if and only if we were in some state g', and a 
transition (g', c, g) could be taken. Note that, because the automaton is reactive, 
the system can always take a transition, in any state. A particular case is g' = g: 
staying in a state means taking a loop on that state, at each instant. 

The mini-Lustre program obtained for the example is the following (note 
that pre(A and X = 10) is the same as pre(A) and pre(X) = 10, hence the 
equations have the form required in the definition of mini-Lustre) . 

Vi = % Vo = {X} Vi = {A,B} 

f(X) : if A then pre(X)+l else pre(X)-l 

f(A) : pre (A and not X=10) or pre(B and X = 0) 

f(B) : pre (B and not X=0) or pre (A and X = 10) 

I(X) = 0 1(A) = true 1(B) = false 
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6.3 Another translation 

We could have chosen another translation of mode-automata into Lustre, by 
deciding that “transitions do not take time” . 

If we observe the semantics proposed above carefully, we see that, in the 
instant when the automaton changes states, the values of the output variables are 
updated according to the equations attached to the source state of the transition. 
We could have chosen to update the variables according to the equations attached 
to the target state of the transition (it yields a slightly different semantics) . 

But we could not have chosen not to update the variables during transitions. 
Indeed, if we choose this solution, the equivalence of mode-automata based upon 
the notion of bisimulation is no longer a congruence. 



7 Conclusions 

In the first part of this paper, we recalled three aspects of compositionality in 
the framework of synchronous languages: definition of the semantics ; separate 
compilation ; compositional proofs. These three points are illustrated by a large 
number of papers (we could not cite all of them) and by industrials tools. 

The second part of the paper is an exercice, motivated by the need to talk 
about running modes in a dataflow synchronous language. The proposal consists 
in attaching dataflow equations to the states of an automaton, which represent 
modes. Defining the semantics of such objects is not difflcult, since we can simply 
provide a translation into pure Lustre (we could also define the trace semantics 
directly). However, it is desirable that the semantics have some compositionality 
properties. We listed three of them. Requiring that these properties hold is a 
way to rule out some semantic proposals. For instance (section 5.1), a seman- 
tics in which the Lustre program associated to the parallel composition of two 
mode-automata is not the usual dataflow connection of the two individual Lustre 
programs would have no meaning in a multi-language framework. Similarly, a 
translation in which the variables of the dataflow part are not updated during 
the transitions of the automaton part (“transitions do not take time”) cannot 
be accepted: the usual equivalence of automata is no longer a congruence for the 
parallel composition we have in mind. 
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Abstract. We present a compositional methodology for specification 
and proof using Interval Temporal Logic (ITL). After given an intro- 
duction to ITL, we show how fixpoints of various ITL operators provide 
a flexible way to modularly reason about safety and liveness. In addi- 
tion, some new techniques are described for compositionally transform- 
ing and refining ITL specifications. We also consider the use of ITL’s 
programming language subset Tempura as a tool for testing the kinds of 
specifications dealt with here. 



1 Introduction 

Modularity is of great importance in computer science. Its desirability in for- 
mal methods is evidenced by the growing interest in compositional specification 
and proof techniques. Work by us over the last few years has shown that a 
powerful generalization of the increasing popular assumption/ commitment ap- 
proach to compositionality can be naturally embedded in Interval Temporal Logic 
(ITL) [12] through the use of temporal fixpoints [14]. Reasoning about safety, 
liveness and multiple time granularities are all feasible [15, 17]. 

In the present paper, we extend our methods to compositional transformation 
of specifications into other specifications. Basically, we show how to sequentially 
combine commitments containing specification fragments. The process contin- 
ues until we have obtained the desired result. This is useful when verifying, say, 
the equivalence of two specifications. One sequentially transforms each specifi- 
cation into the other. The transformation techniques can also be applied to the 
refinement of relatively abstract specifications into more concrete programs. 

We also show that various compositional ITL specification and proof tech- 
niques have executable variants. An interpreter for ITL’s programming-language 
subset Tempura [13] serves as a prototype tool. Generally speaking, our approach 
represents theorems as Tempura programs annotated with temporal assertions 
over periods of time. This can be viewed as a generalization of the use of pre- and 
post-conditions as annotations for documenting and run-time checking of con- 
ventional sequential programs. Because our assertion language is an executable 

* The research described here has been kindly supported by EPSRC research grant 
GR/K25922. 

W.-P. de Roever, H. Langmaack, and A. Pnueli (Eds.): COMPOS’97, LNCS 1536, pp. 439-464, 1998. 
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subset of ITL, we can specify and check for behavior over periods of time whereas 
conventional assertions are limited to single states. 

The remaining sections of the paper are organized as follows. Section 2 gives a 
summary of ITL ’s syntax and semantics. In Sect. 3 we overview compositionality 
in ITL. Section 4 looks at compositional reasoning about liveness. Section 5 
presents a compositional approach to transformation of specifications. Section 6 
considers execution of compositional specifications. The appendix discusses a 
practical ITL axiom system for compositional proofs. 

2 Review of Interval Temporal Logic 

We now describe Interval Temporal Logic for finite time. The presentation is 
rather brief and the reader should refer to references such as [11,3,12,14] for 
more details. Infinite intervals can also be handled by us but for simplicity we 
do not consider them until Subsect. 2.1. An ITL proof system is contained in 
the appendix. 

ITL is a linear-time temporal logic with a discrete model of time. An interval 
(T in general has a length \a\ >0 and a finite, nonempty sequence of |<t| + 1 
states (To, ... , (T|ct|. Thus the smallest intervals have length 0 and one state. Each 
state Oi for i < \a\ maps variables a, b, c, A, B, C .to data values. 
Lower-case variables a, b, c, . . . are called static and do not vary over time. Basic 
ITL contains conventional propositional operators such as a and first-order ones 
such as V and =. Normally expressions and formulas are evaluated relative to 
the beginning of the interval. For example, the formula J = I + 1 is true on an 
interval a iff the J’s value in (t’s initial state is one more that I’s value in that 
state. 

There are three primitive temporal operators skip, (chop) and (chop- 
star). Here is their syntax, assuming that S and T are themselves formulas: 

skip S]T S* . 

The formula skip has no operands and is true on an interval iff the interval has 
length 1 (i. e., exactly two states). Both chop and chop-star permit evaluation 
within various subintervals. A formula 5;T is true on an interval a with states 
(To, . . . iff the interval can be chopped into two sequential parts sharing a 
single state dk for some k < \(t\ and in which the subformula S is true on the left 
part do,. . . ,dk and the subformula T is true on the right part du,. . . ,(T|o-|- For 
instance, the formula skip] (J = /+!) is true on an interval (T iff (T has at least two 
states (To , (Ti , . . . and J = 7 -I- 1 is true in the second one d\ . A formula S* is true 
on an interval iff the interval can be chopped into zero or more sequential parts 
and the subformula S is true on each. An empty interval (one having exactly 
one state) trivially satisfies any formula of the form S* (including false*). The 
following sometimes serves as an alternative syntax for S*: 



chopstarS . 
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Figure 1 pictorially illustrates the semantics of skip, chop, and chopstar. Some 
simple ITL formulas together with intervals which satisfy them are shown in 
Fig. 2. Some further propositional operators definable in ITL are shown in Ta- 
ble 1. 



skip 



S-,T 



5* 



S T 



S S S 



Fig. 1. Informal illustration of ITL semantics 



7 = 1 



7: 1 2 4 



7 = 1 A skip 



7: 1 2 



skip', 7=1 
(07=1) 



7: 



2 ^ 2 ^ 
skip 7=1 



true', 1^1 
(07^1) 



7: 1 



~^{true', 7 1) 

(□7=1) 



7: 1 1 1 1 1 



1 



Fig. 2. Some sample ITL formulas and satisfying intervals 



We generally use w, w', x, x' and so forth to denote state formulas with no 
temporal operators in them. Expressions are denoted by e, e' and so on. 

In [14] we make use of the conventional logical notion of definite descrip- 
tions of the form tv: S where u is a variable and 5 is a formula (see for example 
Kleene [7, pp. 167-171]). These allow a uniform semantic and axiomatic treat- 
ment in ITL of expressions such as Oe (e’s next value), fin e (e’s final value) 
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Table 1. Some other definable propositional ITL operators 



@s 


def 


—< 0 —<s 


Weak next 


more 


def 


0 true 


Nonempty interval 


empty 


def 


-^more 


Empty interval 


<i>S 


def 


S', true 


Some initial subinterval 


as 


def 


—< —<S 


All initial subintervals 




def 


true', S; true 


Some subinterval 


BS 


def 


—1 —iS 


All subintervals 


keep S 


def 


B[skip D S) 


All unit subintervals 


fin S 


def 


a^empty D S) 


Final state 


halt S 


def 


□ 

III 

Cb 

1 


Exactly final state 



and len (the interval’s length). For example, Oe can be defined as follows: 

O e ^a: O (e = a) , 

where a does not occur freely in e. Here is a way to define temporal assignment 
using a fin term: 

, def , , , 

e t— e = [fin e) = e . 

The following operator stable tests whether an expression’s value changes: 
stable e *= 3a: 0(6 = a) , 

where the static variable a is chosen so as not to occur freely in the expression 
e. The formula e gets e' is true iff in every unit subinterval, the initial value of 
the expression e' equals the final value of the expression e: 

e gets e = keep (e t— e) . 

An expression is said to be padded iff it is stable except for possibly the last state 
in the interval: 

dsf 

padded e = 3a: keep {e = a) , 

where the static variable a does not to occur freely in e. A useful version of 
assignment called padded temporal assignment can then be defined: 

e <~ e' = (fin e) = e' a padded e . 

This ensures that e does not change until possibly the very end of the interval 
when the assignment takes effect. Figure 3 shows examples of these operators. 
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stable K 



RT: 4 4 4 4 4 






RT: 2 6 1 8 3 



K gets RT + 1 



RT: 4 5 6 7 



padded K 



RT: 3 3 3 3 1 



r: <~ r: + 1 



RT: 2 2 2 2 3 



Fig. 3. Sample formulas illustrating stable, etc. 



2.1 ITL with Infinite Time 

The semantics so far presented is suitable for reasoning about finite intervals. 
We now discuss some modifications needed to permit infinite intervals as well. 
First, we apply our semantics of 5;T and S* to infinite intervals. As before, 
5; T is true on an interval if the interval can be divided into one part for S and 
another adjacent part for T and that S* is true if the interval can be divided 
into a finite number of parts, each satisfying S. In addition, we now also let 5; T 
be true on an infinite interval which satisfies S. For such an interval, we can 
ignore T. Furthermore, we let S* be true on an infinite interval that is divisible 
into a finite number of subintervals where the last one has infinite length and 
each satisfies S or alternatively into an infinite number of finite intervals each 
satisfying S. We define new constructs for testing whether an interval is infinite 
or finite, and alter the definition of O: 

inf = true; false finite = ~'inf 

OS = finite; S sfin S = O {empty a S) . 

Here sfin 5 is a strong version of fin S and is true only on finite intervals. In 
contrast, fin S is vacuously true on all infinite intervals. The first-order operators 
for temporal assignment and padded temporal assignment are redefined to deal 
with both finite and infinite intervals: 

dsf 

e •<— e' = finite D {fin e) = e' , 

dsf 

e <~ e' = finite a {fin e) = e' a padded e . 

Our experience seems to suggest that it is preferable to define e •<— e' to be 
vacuously true on infinite intervals and to define e <~ e' to be false on them. 




444 



B.C. Moszkowski 



3 Introduction to Compositionality in ITL 

Modularity is a desirable attribute of any formal method. One of the best known 
modular logical notations is Hoare logic [4]. It uses the important insight that 
proofs about the pre/post-condition behavior of a sequential program can be 
decomposed into subproofs of the program’s parts. In ITL we can express a 
Hoare clause as a theorem about discrete intervals of time consisting of one or 
more states: 

h w A Sys D fin w' . 

Here w and w' are state formulas containing no temporal operators and Sys is 
some arbitrary temporal formula we wish to reason about. The temporal formula 
fin w' is true on an interval iff w' is true in the interval’s final state. 

The pre/post-condition approach is not particularly well suited for specify- 
ing and verifying systems in which ongoing and parallel behavior are important. 
However, this can be remedied through the addition of what are commonly 
known as assumptions and commitments. Francez and Pnueli [2] are the first to 
consider them and refer to them as interface predicates. The following implica- 
tion shows the basic form of an ITL theorem incorporating an assumption As 
and a commitment Co: 

w A As A Sys D Co A fin w' . 

Table 2 briefly describes the role of each logical variable in such an implication. 
This can be seen as an embedding of Jones’ rely and guarantee conditions [5] 
in ITL. In Fig. 4, we show a graphical representation of the implication called a 
proof outline. 



Table 2. Compositional specification of system Sys 



w A As A Sys D Co A fin w' , 
where: 

w: state formula about initial state, 

As: assumption about overall interval, 
Sys: the system under consideration, 

Co: commitment about overall interval, 
w' : state formula about final state. 



In general As and Co can be arbitrary temporal formulas. However, when 
compositional reasoning about sequential parts of a system is needed, it is useful 
to select assumptions and commitments for which the following derived ITL 
proof rule is sound: 

h w A As A Sys D Co A fin w' , 
h w' A As A Sys' D Co A fin w" 



h w A As A (Sys; Sys') D Co a fin w" . 



( 1 ) 
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As 




Co 



Fig. 4. Proof outline for specification Sys 



The rule uses the ITL operator chop to combine the formulas Sys and Sys' 
sequentially. An associated proof outline is shown in Fig. 5. Here is an analogous 
rule for decomposing a proof for zero or more iterations of a formula Sys: 



h w A As A Sys D Co A fin w 
h w A As A Sys* D Co A fin w . 



(2) 



Figure 6 shows a corresponding proof outline. Similar rules are possible for if, 
while and other constructs. 






1— {w} — 1 


As 


Sys 




= {w'} = 


As 


Sys' 


— 





Co 

Co 



Co 



Fig. 5. Proof outline for specification Sys] Sys' 



As 



As 




Co 



Fig. 6. Proof outline for specification Sys* 



To ensure soundness of proof rules 1 and 2, we require that As and Co be 
respective fixpoints of the ITL operators m and chop-star as is now shown: 

As = 0 As , Co = Co* . 

The first equivalence ensures that if the assumption As is true on an interval, 
it is also true in all subintervals. We say that such an assumption is importable. 
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The second equivalence ensures that if zero or more sequential instances of the 
commitment Co span an interval, Co is also true on the interval itself. A com- 
mitment with this property is said to be exportable. Importable assumptions 
and exportable commitments are collectively referred to as sequentially eompo- 
sitional. The temporal formula □(/ = 1) (read “I always equals 1”) is a typical 
importable assumption. An example of its behavior can be pictorially represented 
as follows: 

□ (/=!) 



I: 1 1 1 1 

II 

□ (/=!) □(/=!) □(/ = !) n(/=l) 
□ (/ = !) □(/=!) □(/ = !) 



□ (/=!) □(/ = !) 

The set of importable assumptions turns out to consist exactly of those formulas 
expressible as 0 5 for some arbitrary subformula S. The temporal formula A •<— 
A (“A’s initial and final values on the interval are equal”) is an exportable 
commitment. Here is an interval illustrating this: 



A^A 



A: 42 144324 

A<-A A<-A A<-A 



One can show that a formula is an exportable commitment if and only if it 
can be expressed in the form S* for some arbitrary S. Some formulas such as 
stable K (“K’s value remains the same throughout the interval”) can be used 
both as assumptions and commitments. These are precisely the fixpoints of the 
ITT operator keep defined earlier in Table 1. We recall that formula keep S, for 
some subformula 5, is defined to be true on an interval iff S is true on every 
unit subinterval (i.e., consisting of exactly two adjacent states): 

keep S‘^M \^{skipZ) S) . 

Here is a graphical representation of the semantics of a formula keep 5 on a 
typical interval: 



keep S 




SSSSSSSS 
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The formula keep {K -t— 7T + 1) is an example of such a fixpoint. It states that K 
increases by 1 between every pair of adjacent states. In Fig. 7 we show a proof 
outline for the following lemma: 

h J = 1 A stable J A (stable K ■, K K + J) , . 

D keep (K < O K < K + 1) a fin (J = 1) . 



stable J 



— 






stable 


J 


stable K Co 






= {J = 1} J 


stable 


J 


K<r^K + J \ Co 






L{J = l} J J 



Co 



where Co is keep (K < O K < K 
Fig. 7. Proof outline for lemma (3). 



Note that our approach only requires that assumptions and commitments 
which are used directly in rules such (1) and (2) are sequentially compositional. 
Compositional proofs about a system in ITL typically also involve reasoning 
about assumptions and commitments which are not sequentially compositional. 
For instance, there is an important class of formulas using the standard temporal 
operator □. In general they can neither be used directly as sequentially compo- 
sitional assumptions or commitments. Nevertheless, those of the form □«;, for 
some state formula w, can be used as importable assumptions since they are 
fixpoints of the operator 0: 



h □ w = 0 □ w . 

Unfortunately, even these cannot be used as exportable commitments since, for 
example, the formula (□«;)* (and indeed any formula S*) is vacuously true on 
intervals having exactly one state whereas □ w is not necessarily true on them. In 
other words (□«;)* a □ w is satisfiable for some w and therefore □ w = (□«;)* 
is normally not a theorem. However, there are simple ways around this. For 
instance, we can express □ w as the conjunction of keep w and fin w: 

h □ w = keep w a fin w . 

Since w is a state formula, keep w turns out to be true on an interval iff w is 
true on all of the interval’s states except possibly the last one. Since we already 
mentioned that keep S for any formula 5 is a perfectly good exportable commit- 
ment, we can use keep w in compositional proofs and at the very end combine 
it with fin w to obtain the desired (generally nonexportable) commitment □ w. 
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4 Compositional Analysis of Liveness 

The techniques so far presented do not address reasoning about formulas involv- 
ing liveness such as □ Oa; and □(a; D Ox'), where x and x' are state formulas. 
We now briefly discuss how to handle such temporal formulas in compositional 
proofs. More details and examples of proofs can be found in [17]. Let us now use 
the temporal operator @ {“box-m” or “mostly”) defined as follows: 

def 

@ 5 = □(more D S) . 

A formula @ 5 is true on an interval iff the subformula S is true on all terminal 
(suffix) subintervals with more than one state, that is all the interval’s nonempty 
terminal subintervals. Therefore @ ignores the last (empty) terminal subinterval 
consisting of one state and is slightly weaker than □. In Fig. 8 we illustrate 
the difference between the two operators. On infinite intervals, their behavior is 
identical. 



L 




□ 5 



L 



L 



L 



L J 

s 



J 

s 



J 

s 



J 

s 



BS 



Fig. 8. Comparison of □ 5 with 0 S 



It turns out that for any state formulas w and w' and an arbitrary formula 
S, the formula @(w D S]w') is a fixpoint of ehop-star: 

h @(w D S]w') = (@(w D S]w'))* . 

This is because @(w D S]w') can be expressed as SO(w D (S a fin w')) and 
any formula of the form SOT for some arbitrary formula T is a fixpoint of 
ehop-star. 

For state formulas x and x ' , the implication x D O x' can be expressed as 
X D finite] x'. Consequently, the formula @(a; D Ox') is a fixpoint of ehop- 
star. Table 3 gives examples of exportable commitments expressible in the form 
□ (a; D S]x') for suitable x, x' and S. 

One way to prove a formula □(a; D ^a;'), is by establishing the related for- 
mula @(a; D Ox') through sequential composition and also showing the formula 
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Table 3. Examples of formulas expressible as 0(a: 3 S-,x) 

0 X 

BOx 

0(a: D Ox) 

0 0{skip A S) (same as keep S) 



fin {x D Ox'). We then use the following lemma relating □ with @ and fin : 

h aS=^SA fin S. 

The fixpoints of the ITL operator (read " diamond- a") are important when 
we reason about liveness. In general, is true on an interval iff S is true on 
some subinterval (possibly the interval itself). Formulas such as Oa;, where x is 
a state formula, and stable A (meaning “ The variable A has more than one 
value over the intervaF) are fixpoints of If DA is a fixpoint of @ DA is a 
fixpoint of ehop-star and hence an exportable commitment. More generally, for 
any state formula x and <^-fixpoint DA, a formula of the form @(a; D DA) is 
always a fixpoint of ehop-star. This is because @(a; D DA) can be expressed as 
@(a; D DA; true). The fixpoints of O are closed under disjunction. 

Let us consider another benefit of fixpoints of O. Suppose one wishes to 
prove that a formula Sys; Sys' with a suitable precondition and an importable 
assumption implies a commitment 0(a; D DA) for some state formula x and 
some fixpoint DA of O. The most straightforward thing to do is to first show 
the commitment both for Sys and Sys' and then combine the results using proof 
rule (1). However, this is not always possible since DA might never be true in 
Sys and only occur in Sys' even though x is perhaps somewhere true in Sys. In 
such cases, we can use the following derivable proof rule for all intervals, both 
finite and infinite: 

h w A As A Sys D finite a fin w' , 

h w' A As A Sys' D @(a; D DA) a DA a fin w" (4) 

h w A As A {Sys; Sys') D @(a; D DA) a DA a fin w" . 

This shows that the only thing we need to verify about Sys is that it terminates 
with the formula w' true in its final state. Both the desired commitment @(a; D 
DA) and DA itself can be obtained for Sys; Sys' from Sys' alone because DA is 
a fixpoint of A proof outline for this is given in Fig. 9. 

Figure 10 shows a proof outline for the following lemma in which the variable 
K is never stable, except trivially in the last state (if the overall interval is finite): 

h J > 1 A keep ( J < O J) A {{stable K a finite); K K J) 

D @ -I stable K a ^ stable K a fin ( J > 1) . 



( 5 ) 
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1— {w} ^ 


1 


As 


As 


11 

Jl 


finite 




As 


Sys' 


0(a: D DA) a DA 




— 




— 



0(a: D DA) a DA 



Fig. 9. A proof outline for rule (4) 



keep { J <0 J) 



keep { J <0 J) 
keep {J <0 J) 



stable K a finite | finite 



K K + J 

{^> 1 } 






J 

0 -I stable 
A -I stable 



K 

K 



0 -I stable K 
A -I stable K 



Fig. 10. Proof outline for lemma (5). 



Sometimes a more powerful technique for analyzing reachability is needed. 
We originally introduced the notion of markers in [11, p. 127]. A marker is a 
boolean state variable, called here Mk, which is true exactly at the start and 
end of loop iterations. For example, a variant of chop-star having a marker can 
be defined as follows: 

dsf 

chopstarj^f. S = {S hOhalt Mk)* . 

Without loss of generality, we can always existentially introduce a marker as an 
auxiliary variable. The following provable lemma states this: 

h S* = 3Mk'. {Mk A chopstarj^f. S) , 

where Mk does not occur freely in the formula S. The use of markers in liveness 
proofs is discussed in more detail in [17]. 

5 Compositional Transformation of Specifications 

Assumptions and commitments are usually thought of as being simpler than 
the systems they describe. However in ITT it is possible to embed arbitrary 
formulas in them. This provides a framework for compositional transformation 
and refinement of specifications. For example, we can specify that one system 
Sys implies that whenever some state formula x is true, the behavior of another 
system Sys' is observed followed by another state formula x' being true: 

w A As A Sys D 0(x D Sys'; x') a fin w' . 

The use of formulas of the form □(a; D S;x') provides a powerful means for 
decomposition. For example, suppose we wish to establish the following commit- 
ment which embeds S; S': 



0{x D S;S';x') . 
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This can be split into two smaller commitments for S and S' using the general 
ITL theorem shown below: 

h □(a; D S;y)AO(^y d S';x') D □(a; D S;S';x') . (6) 

Here we introduce a new state formula y to connect the two individual commit- 
ments. A similar decomposition theorem can be used for while-loops which are 
themselves expressible in ITL as follows: 

dsf 

while w do S = {w a S)* a fin . 

A commitment with an embedded while-loop has the following form: 

□ (a; D (while w do S);x') . 

It can be broken down using the theorem now given: 

h □ (a; A w D (S A more)]x) a □ (a; a ~^w D x') 

D n(a; D (while w do Sys)\x') . 

The formula x serves as the while-loop’s invariant. Here is a corollary of this for 
introducing a while-loop itself: 

h n(a;AW D (5 A more); a;) A □ (a; A -iw D empty) 

D a; D (while w do Sys) a fin (x a ^w) . ' ' 

Sometimes, we wish to prove that one system implies another: 

w A As A Sys D Sys' a fin w' . 

This can be thought of as stating the existence of a transformation from Sys to 
Sys'. If we have already compositionally demonstrated a commitment □(a; D 
S]x'), we can obtain S from it through the next theorem: 

h a; A □(a; D 5;a;')An(a;' D empty) D S . 

A commitment expressed as □(a; D S]x') is in general not exportable. How- 
ever, we noted in Sect. 4 that a formula such as @(a; D S]x') when used as a 
commitment is exportable since it is always a fixpoint of ehop-star. This greatly 
facilitates modular proofs since we obtain the benefits of sequential composition- 
ality. The following lemmas assist in moving between the two types of commit- 
ments: 

h □(a; D S\x') D @(a; D S\x') 
h 0(a; D S]x')Afin^x D □(a; D S]x') . 

The subformula fin -<x in the second lemma ensures that the implication x D 
S]x' is trivially true in the interval’s final state if the interval is finite. 
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5.1 An Example 

Figure 11 shows two logically equivalent specifications pl{K,n) and p2{K,n) 
which monotonically increase a variable K until it equals 2n. Here is the behavior 
of K and n in a sample interval having 12 states: 

n: 333333333333 
A: 001222345556 

pi {K, n): while K ^ 2n do {K <~ A + 1) 

p2{K,n): halt{K = 2n) 

A (K <~ a + 1; halt even{K)Y 
A {halt odd{K)-, K K + ly 

Fig. 11. Two equivalent specifications 

We will consider how to establish equivalence when K is initially even. This 
can be reduced to proving the following two implications: 

h even{K) A pl{K,n) D p2{K,n) (8) 

h even{K) A p2{K,n) D pl{K,n) . (9) 

Each of these is analyzed individually. 

Proof of even{K) a pi {K,n) D p2{K,n). In order to prove lemma (8), 
we give names to p2's conjuncts as shown in Table 4 and prove the following 
lemmas which demonstrate that pi implies each of them: 



h 


even{K) a pi {K,n) 


D 


p2a{K,n) 


(10) 


h 


even{K) a pi {K,n) 


D 


p2b{K) 


(11) 


h 


even{K) a pi {K,n) 


D 


p2c{K) . 


(12) 



The simplest of the three lemmas is the first one (10). A proof outline is 
shown in Fig. 12. It uses the following equivalence for the halt construct: 

h halt w = @ -iw A fin w . (13) 

The proofs of lemma (11) for p2b and lemma (12) for p2c are similar to each 
other so we only look at the one for p2b. The lemma’s proof uses an auxiliary 
boolean state variable X which is acts as follows: 



A A A gets {K y O K) . 
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Table 4. Decomposition of specification p2 {K, n) 



p2{K, n): p2a{K, n) a p2b{K) a p2c{K) 

p2a{K,n): halt (K = 2n) 

p2b{K): {K <c- K + 1-, halt even{K)Y 

p2c{K): {halt odd{K)-, K <c- K + ly 



{true} 

while K ^ 2n do { 
{K ^ 2n} 



K <c^K + l 
{true} 






B K ^ 2n 



BK^2n 



BK^2n 
A fin (K = 2n) 



halt (K = 2n) 



{K = 2n} 



Fig. 12. Proof outline for lemma (10). 



It is initially true and subsequently is true exactly whenever K’s value changes. 
We can introduce X without loss of generality using existential quantification. 
Here is the behavior of K and X in the interval described earlier: 



RT: 001222345556 

X: true false true true false false true true true false false true 

The subformula X gets {K y O K) is used as an importable assumption in the 
proofs for p2b. 

The outermost operator used in p2b is chop-star. The following general theo- 
rem provides a way to introduce a formula S* from a commitment which embeds 
S in it: 

a;A@(a; D {S h more)-, x) D S* . 

In the case of p2b, we use X a even{K) as an instance of x and take the following 
as an instance of @ (a; D (5 a more)-,x ) : 

0 ^ W A even{K) D 

{{K <~ IT + 1; halt even{K)) a more) ; 

{X A even{K))'^ . 

This can be further split into two commitments using a variant of lemma (6) 
given below for sequentially decomposing loop bodies: 

h D {S A more)-, x') A 0{x' D S'-,x") 

D 0(a; D {{S-, S') a more)-, x") . 
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One commitment is for Ti' <~ Ti' + 1 a more and the other is for halt even{K): 

A even{K) D a odd{K) D 

{K K + 1 A more); halt even{K); 

(X A odd(K))'j (X A even w)) • 

The associated lemmas are now given: 



h 



h 



even{K) aX aX gets {K ^ O K) a PI {K, n) 



D 



@ {^X A even{K) D 

{K K + 1 A more); 

{X A odd(K))'j 



even(K) aX aX gets {K ^OK) a PI {K, n) 

D A odd{K) D 

halt even{K); 

(X A even{K))'^ . 



(14) 



(15) 



Proof outlines for these are shown in Figs. 13 and 14, respectively. Figure 15 
summarizes the overall proof of lemma (11). 



As 



while K ^ 2n do { 

{X A K ^2n} 

^ J K<r^K + l 

L{X} J 

) 

-{X} 



even{K) D 

{K <c^ K + 1 A more)"n 
(X A odd(K)) _J 

A © 0-.X 



Co 



Co 



where As is X gets {K ^ O K) 

and Co is 0^X a even{K) D 

(X <~ X + 1 A more); 
(X A odd{K))'^ . 

Fig. 13. Proof outline for lemma (14). 



Proof of even{K) a p2{K,n) D pl{K,n). In order to obtain pl{K,n) 
from p2{K,n), we first use the fact that pi (K,n) is expressed as a while-loop 
and can therefore be decomposed using the lemma now given which is provable 
from corollary (7): 



h halt -<w A S 



D while w do S . 



(16) 
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while K ^ 2n do { 
{X aK ^ 2n} 



As 



K <r^ K + 1 

L{X} 



] 



) 

\—{X aK = 2n} 



odd{K) D 

halt even{K)-, I „ 

(X A even{K)) | ° 

A ® liH ~iX 



Co 

A fin -<odd(K) 



where As is X gets (K ^ O K) , 

Co is A odd{K) D 
halt even(K)-, 

(X A even{K))^ 

and Co' is a odd{K) D 
halt even(K)-, 

(X A even{K))'^ . 

Fig. 14. Proof outline for lemma (15). 



even{K) a X a X gets (K ^ O K) a pi (K, n) 



a: 



D 



0(X A even{K) D 

(X <~ X + 1 A more)-, /\ 
(X A odd{K))) 



□ (X A odd{K) D 
halt even{K)- 
(X A even(K))) 



b: 



D 



0 ^X A even{K) D 

((X <~ X + 1; halt even{K)) a more)-, 
(X A even{K))'^ 



c: 



D 

X A even{K) D 

(X <~ X + 1; halt even{K))* 



Fig. 15. Overview of proof of lemma (8) 
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Here is the particular instance of this that we need to show: 

h halt ^{K 2n) ^ [K ^ K + ly D while K y 2n do [K ^ K + 1) . 

The antecedent of this can be obtained from p2{K,n) in the following manner: 

h even{K) A p2{K,n) D halt ^{K y2n) A {K <r^ K + iy . (17) 

The main work in proving lemma (17) involves obtaining {K <~ + 1)*: 

h even{K) A p2{K,n) D {K <c^ K + 1)* . (18) 

As done previously, we use an auxiliary variable X which is initially true and 
subsequently is true exactly whenever K’s value changes. Figure 16 summarizes 
the overall proof of lemma (18). 

even{K) a X a X gets {K y O K) even{K) a X a X gets {K y O K) 

A p2b{K) A p2c{K) 

D D 

0(X A even{K) D . 0(X a odd{K) D 

(X <~ X + 1 A more);X) ^ (X <~ X + 1 A more );x) 

D 

0 (X D (X <~ X + 1 A more y,x) 

D 

X D (X<~X + 1)* 



Fig. 16. Overview of proof of lemma (18) 



A proof outline for the following lemma about p2b{K) 

h even{K) aX aX gets (K y O K) a p2b{K) 
D @(X A even{K) D (X <~ X + 1 a 



is shown in Fig. 17. 



more) ■,x) . 



(19) 



6 Executable Compositional Specifications 

The Tempura programming language [13] is based on an exeeutable subset of 
ITT. With some care, many interesting ITT specifications can be directly run by 
a Tempura interpreter. This consequently provides a valuable tool for “hands-on” 
access to ITT. It appears to be worthwhile to explore ways of exploiting Tempura 
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— 




{X A even{K)} 
chopstar ( 




— 









— {X A even{K)} — 


even{K) D 








As 


K <r^ K + 1 


{K K + 1 A more);i^rn 




As 


As 




= {odd(K)} = 


A @ @ —iX 1 

1 


Co 






As 


halt even{K) 


@ odd(K) Co 








— 


— {X A even(K)} — 


_l J 





) 

{X A even(K)} 

where As is X gets {K ^ O K) 

and Co is A even{K) D (iT <~ iT + 1 a more)-,X). 
Fig. 17. Proof outline for lemma (19). 



for testing executable specifications which have assumptions and commitments 
in them. At present we are experimenting with various Tempura programming 
styles and interpreter implementation techniques to improve facilities for carry- 
ing this out. For instance, consider the following simple Tempura conjunction: 

K=0 A pl{K,3) A p2{K,3) aO output{K) . (20) 

This initializes the variable 7T to 0 and runs pl{K,3) and p2{K,3) in parallel 
on a state-by-state basis. Furthermore, the value of K in each state is displayed. 
Figure 18 shows a typical run. The construct K <~ IT -|- 1 is nondeterminis- 
tic since it does not specifying any particular interval length. The interpreter 
therefore generates a pseudo-random value in some user-adjustable range. We 
note that the Tempura source code for pi and p2 is annotated with many of as- 
sumptions and commitments described earlier in various proofs in Subsect. 5.1. 
Therefore the run shown in Fig. 18 also extensively checks them. 

Now consider the following general ITT formula containing an assumption 
and a commitment: 

w A As A Sys D Co A fin w' . 

This can sometimes be tested in Tempura for inconsistencies using the following 
conjunction: 

w A As A Sys A Co A fin w' . 

Of course, it is not feasible to attempt to execute arbitrary assumptions and 
commitments. Here are two reasons why: 

— They can contain arbitrary undecidable first-order ITT subformulas. 

— Satisfiability can be nonelementary even for decidable propositional ITT for- 
mulas (Kozen in [11, p. 24]). 

However, there are interesting and useful classes. For example. Table 5 shows 
various importable assumptions which can be tested. Similarly, Table 6 contains 
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Tempura 4> run (K=0 and pl(K,3) and p2(K,3) and always output(K)). 


State 0 


K=0 


State 1 


K=0 


State 2 


K=0 


State 3 


K=1 


State 4 


K=1 


State 5 


K=2 


State 6 


K=2 


State 7 


K=2 


State 8 


K=3 


State 9 


K=3 


State 10 


K=4 


State 11 


K=5 


State 12 


K=5 


State 13 


K=5 


State 14 


K=6 


Done! Computation length: 14. Total Passes: 40. 



Fig. 18. Sample Tempura output for formula (20) 



a number of checkable exportable commitments. Indeed, we discovered that for- 
mulas having the form @(w D S]w') were suitable as exportable commitments 
only after we tried to prove compositionally the equivalence of some experimen- 
tal Tempura specifications. Many assumptions and commitments which are not 
sequentially compositional can also be handled by Tempura. Examples include 
commitments of the form □(«; D 5; w') as long as w, S and w' are themselves 
executable. We are even investigating ways of implementing negation of suitable 
Tempura programs. This would permit empirical testing of the validity of an 
implication of the form Sys D Sys' by examining satisfiability of a program 
such as Sys a -<Sys' . 



Table 5. Some executable importable assumptions 



stable A 

keep {K <OK <K + 1) 
a{K = 0) 

□ <>{K = 1 V empty) 



T’s value remains stable 

K's value weakly increases 

monotonically 

K always equals 0 

Always eventually either K equals 1 

or the interval terminates 
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Table 6. Some executable exportable commitments 



stable A 

keep {K <OK <K + 1) 

B{K = 0) 

BOK = 1 

B{K = j D OK = j + l) 

0 3i: (i = A A i)) 

0(w D S-,w') 



A’s value remains stable 

iC’s value weakly increases 

monotonically 

iT’s value is mostly zero 

iC’s value is mostly sometimes 1 

Mostly when K = j, 

eventually K = j + 1 

A is mostly not stable 

Mostly w implies S then w' 



Let us now enumerate some benefits of using Tempura for testing composi- 
tional specifications: 

— Tempura offers a “learning-by-doing” approach to ITL. 

— Larger ITL specifications can be developed and tested than with pencil and 
paper alone. 

— Modular, reusable Tempura test suites can be developed. 

— Several specifications can be compared over a range of test data. 

— The use of specialized theorem provers and model checkers can be postponed 
until after a preliminary run-time consistency check of candidate specifica- 
tions and proofs. 

— In contrast to model checking, execution can be used to test theorems which 
are not decidable. 

— ITL and Tempura both improve through the increased feedback between 
theory and practice. Particular benefits are: 

• The discovery of further executable assumptions and commitments. 

• The development of more and better compositional proof techniques. 

— Interval Temporal Logic serves as the single unifying formalization at all 
stages of analysis. 

Of course, we do not realistically expect the use of an interpreter to replace 
theorem provers and model checkers. However, this does seem to be an intriguing 
alternative suitable in various circumstances. For example, we already mentioned 
that the compositional equivalence proofs discussed in this paper have been 
partially checked using a Tempura interpreter. We have also been able to do a 
run-time parallel check of seven different ITL specifications for doing a breadth- 
first walk down a tree. The specifications range from a register-transfer level 
description to a somewhat object-oriented approach based on parallel recursive 
decent by several processes. Furthermore, we checked some safety and liveness 
proofs for mutual exclusion presented in [17]. As time goes on, we hope to obtain 
more experience with the advantages and limitations of using Tempura for run- 
time checking of ITL assertions. 




460 



B.C. Moszkowski 



7 Discussions 

We have presented the basis of a compositional methodology of specification and 
proof using fixpoints of various ITL operators. Issues considered include reason- 
ing about safety, liveness and even equivalence of specifications. Our current 
work has identified an interesting class of commitments which can be used for 
compositional transformation and refinement of specifications. The exploitation 
of executable specifications based on ITL’s programming language subset Tem- 
pura helps to accelerate development of both the underlying theory as well as 
practical tool support. 

Much work remains to be done. We need to conduct larger case studies using 
by ITL and Tempura to ensure scalability of the techniques. Also, at present 
there is little experience with using compositionality in ITL together with a 
frame semantics for imperative destructive assignments developed by us in [16]. 
Furthermore, programming with Tempura has some difficulties. In particular, 
support for debugging of parallel programs needs improvement. 
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Appendix A Practical Proof System for ITL 

In this appendix, we present a very powerful and practical compositional proof 
system for ITL. Our experience in rigorously developing hundreds of proposi- 
tional and first-order proofs has helped us refine the axioms and convinced us 
they are sufficient for a very wide range of purposes. See Moszkowski [14] for 
more about this. The proof system is divided into a propositional part and a 
first-order part. Our discussion looks at each in turn. 



Propositional Axioms and Inference Rnles. The propositional axioms and 
inference rules mainly deal with chop, and skip and operators derived from them. 
Only one axiom is needed for chop-star. The proof system gives nearly equal 
treatment to initial and terminal subintervals. This is exceedingly important for 
the kinds of proofs we do. In addition, this makes the proof system easier to 
understand since much of it consists simply of duals in this sense. In contrast. 
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most temporal logics cannot handle initial subintervals and even other proof 
systems for ITL largely neglect them. 

Rosner and Pnueli [19] and Paech [18] give propositional proof systems for 
ITL with infinite intervals and prove completeness. However, neither system has 
ever been used much. More recently, Kesten and Pnueli [6] were able to prove 
the completeness of a very nice proof system for Quantified Propositional Tem- 
poral Logie (QPTL) using Biichi Automata. Perhaps a similar technique can be 
applied to propositional ITL with infinite time since it has the same expres- 
siveness as QPTL and can even be translated into it as shown by Halpern and 
Moszkowski in [11, pp. 23-24]. Our proof system presented here contains some of 
the propositional axioms suggested by Rosner and Pnueli but also includes our 
own axioms and inference rule for the operators H, halt, and ehop-star. These 
assist in deducing propositional and first-order theorems and in deriving rules 
for importing, exporting and other important aspects of composition. 

Prop h Substitutions of tautologies 

P2 h (5;T);[7 = 5;(T;[7) 

P3 h (5v5');T D (5;T)v(5';T) 

P4 h 5; (T V T') D (5; T) v (5; T') 

P5 h empty, S = S 

P6 h 5; empty = S 
P7 h w D Hw 

P8 h m(5 D 5') A n(T D T') d {S-,T) d {S'-,T') 

P9 \- O S D O —iS 

PIO h d>((0 /ja/t w) A 5) D iH[{Ohaltw) D S) 

Pll h 5 A n(5 D ®S) D as 
P12 \- S* = empty v (5 a more)]S* 

MP P5dT, h5 ^ hT 
□ Genh S ^ h D5 
mCenh S ^ ^ as 



We now give a sample theorem and its proof: 

h a{S D T) D ^5 D . 

Proof: 



1 


h 


true 


D true 


Prop 


2 


h 


a(true D true) 


l,DGen 


3 


h 


a{s 


D T) A a(true D true) 


P8 




h 




D (5; true) D (T; true) 




4 


h 


a{s 


D T) D {S]true) D {T]true) 


2, 3, Prop 


5 


h 


a{s 


D T) D OS D OT 


4,def. of O 



Theorem A. The propositional proof system is eomplete for quantifier-free for- 
mulas eontaining only boolean-valued statie and state variables. 
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Outline of proof: For a given formula, we construct a finite tableau consisting 
of a number of states. Each state is represented as a disjunction whose disjuncts 
are themselves conjunctions of primitive propositions, next formulas and their 
negations. Now suppose 5 is a valid formula. Construct a tableau for its negation 
-i5. Call a state in a tableau final if it is satisfiable by some empty interval. 
No state reachable from the initial state in our tableau for is final, since 
otherwise we can use the path to construct a model for -i5. Therefore the tableau 
reflects that is not true in any finite intervals. We convert this to a proof- 
by-contradiction for S. This technique also applies to a version of Rosner and 
Pnueli’s proof system restricted to finite intervals. 



First-Order Axioms and Inference Rules. Below are axioms and inference 
rules for reasoning about first-order concepts. They are to be used together with 
the propositional ones already introduced. See Manna [10] and Kroger [9] for 
proof systems for chop-bee first-order temporal logic. We let v and v' refer to 
both static and state variables. 

FI h All substitution instances of valid nonmodal formulas of conven- 
tional first-order logic with arithmetic. 

F2 \- \fv.S D , 

where the expression e is sort-compatible with v and v is free for e 
in S. If e contains any temporal operators, then v must be a state 
variable not occurring freely in S within the left side of a chop 
formula or within a chop-star formula. 

F3 h Vu: (SdT) D (Sd Vu: T) , 
where v doesn’t occur freely in S. 

F4 ^ {iv.S) = {iv'-.S^') , 

where v and v' are static variables of one sort and v is free for v' 
in S. 

F5 h Vu: (5 = T) D {iv. S) = {iv. T) , 
where v is static. 

F6 h (3u:5) A =u D 5, 
where u is a static variable. 

F7 \- w D Ow , 

where w only contains static variables. 

F8 h 3v.{S]T) D {3v.Sy,T , 

where v doesn’t occur freely in T. 

F9 h 3v.{S]T) D S]{3v.T) , 

where v doesn’t occur freely in S. 

FIO h (3u:5);0(3u:T) D 3v.{S]OT) , 
where u is a state variable. 

VGen h 5 ^ h Vu: 5 , 

for any variable v. 

Induct h 5°, h 5 D ^ h 5 , 

for any static variable n whose sort is the natural numbers. 
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The axiom FI permits using properties of conventional first-order logic with 
arithmetic without proof. Most of the other axioms and the two inference rules 
at the end are adaptations of conventional nonmodal equivalents for quantifiers 
and definite descriptions. Only four axioms actually contain temporal operators. 
Axiom F7 deals with state formulas containing only static variables. The two 
axioms F8 and F9 show how to move an existential quantifier out of the scope 
of chop. The remaining temporal axiom FIO shows how to combine two state 
variables in nearly adjacent subintervals into one state variable for the entire 
interval. We extensively use it and lemmas derived from it for constructing aux- 
iliary variables. Dutertre [1] gives a complete first-order ITT proof system but 
unfortunately with a nonstandard semantics of intervals. In addition, it has not 
be developed with compositional proofs in mind. 

A.l Axioms for Infinite Time 

The proof system for ITT with infinite time contains all the axioms and basic 
inference rules of the basic proof system. We also include the following two 
propositional axioms: 

P13 h (5Am/);T = S a inf , 

P14 h 5 a D(5d (Ta more);5) D T* . 

The first-order axiom now given is sometimes needed for constructing auxiliary 
variables with chop-star: 

Fll h (Vn:3n':(n = n' a 5))* D Vn: 3n': (n = n ' a 5*) , 

where v and v' are state variables and v does not occur freely 5. 

It may be that a complete axiom system for even propositional ITT with infinite 
intervals can only be achieved by means of a nonconventional inference rule. This 
is not central to our approach. 
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Abstract. In this paper we show that every real-time system specihed 
in a certain subset of Duration Calculus [24] can be decomposed into an 
untimed system communicating with suitable timers. Both asynchronous 
and synchronous communication are considered. 



1 Introduction 

Real-time systems are reactive systems where reactions to certain inputs have to 
occur within given time intervals [8, 16, 14, 11]. These systems usually consist of 
some physical process for which a suitable controller has to be constructed such 
that the controlled process exhibits the desired time dependent behaviour. The 
interaction between process and controller proceeds via sensors and actuators 
as shown in Fig. 1. 




Fig. 1. Real-time system 



When constructing the controller the reaction times of all components of this 
system have to be taken into account. 

Since real-time systems are more difficult to design and verify than untimed 
reactive systems, methods for separating time-critical aspects from untimed 
causal behaviour are desirable. Possible approaches are abstraction and decom- 
position. Abstraction is used in the automatic verification (model checking) of 
real-time systems specified by timed automata. For example, R. Alur and D. Dill 
[1] observed that in order to decide whether the language C{A) of timed traces 

* This work was partially funded by the Leibniz Programme of the German Research 
Gouncil (DFG) under grant 01 98/1-f. 

W.-P. de Roever, H. Langmaack, and A. Pnueli (Eds.): COMPOS’97, LNCS 1536, pp. 465-489, 1998. 
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of a timed automaton A is empty it suffices to check whether the corresponding 
untimed language Untmie[C{A)) consisting of all communication traces with the 
time stamps removed is empty. Their main result is that Untmie[C{A)) is an 
w-regular language that can be recognised by a suitable Biichi automaton, the 
region automaton. This region automaton thus represents an abstract hnite state 
view of the inhnitely many timed conhgurations of the original timed automaton 
A tailored to the particular verihcation problem under consideration, here the 
emptiness problem of C{A). 

Decomposition should preserve the overall real-time properties of the sys- 
tem, but restructure the system such that the time-critical aspects are localised 
in some components. The aim of this paper is to show how the specihcation of a 
real-time controller can be correctly decomposed into an untimed controller com- 
municating with timers (see Fig. 2). Such a decomposition can provide the basis 




controller 



Fig. 2. Controller decomposition 



for implementing and simulating real-time controllers and for a proof methodol- 
ogy that separates untimed and timed properties. 

Our paper is motivated by two sources. Firstly, in previous work in the project 
ProCoS (Provably Correct Systems) [10] an approach to the transformational de- 
sign of real-time systems was developed [23,22]. In ProCoS the Durations Cal- 
culus [24] was taken as the basis for specihying real-time systems. In [23,22] it is 
shown how real-time systems specihed in a subset of Duration Calculus [24], the 
so-called implementables due to A.P. Ravn [21], can be gradually transformed 
into timed Occam programs. In the ProCoS example of a gas burner controller 
the hnal program consisted of an untimed Occam program communicating syn- 
chronously with two separate timer components. While this decomposition was 
possible in the particluar gas burner example, it was unclear how general this 
construction was. In this paper we show that this decomposition works in gen- 
eral. 

Secondly, in a similar style S. Dick and J. Peleska is pursuing an approach 
where a given Timed CSP process is decomposed into an untimed CSP process 
communicating synchronously with separate timer processes: 

Timed_CSP -process = untimed-CSP -process || timers 

where || denotes the parallel composition operator of CSP [15,3]. The advan- 
tage of this structural transformation is that real-time interpreters can be based 
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directly on this decomposition result. This facilitates rapid prototyping and fur- 
ther analysis of the original Timed CSP process. A difhculty lies in proving the 
above decomposition result. This is partly due to the semantics of Timed CSP 
which assumes a hxed minimal reaction time (i for all communications [2] . As a 
consequence some simple Timed CSP processes like 

a <1^ b SKIP 

cannot be decomposed because it would take at least three communications to 
interact with a timer: one to set the timer, one to let the timer progress, and a 
third one to communicate the elapsing of the time back to time main process. 
These communications would need a time of 3 • (i which exceeds the time of 2 ■ S 
allowed between a and b. 

In this paper we avoid such difhculties by working with an unspecihed non- 
zero reaction time described by some parameter, say e. Then our decomposition 
techniques will generate conditions on the reaction times needed for the com- 
ponents and the timers such that the overall real-time requirements are still 
guaranteed. Formally, this is done by working in the setting of a continuous 
time domain where changes of the time scale can be easily accommodated. 

At hrst sight it seems that the decomposition of real-time systems into un- 
timed parts and timers is already solved by the model of timed automata. As 
phrased in [17], timed automata can be viewed as satisfying the equation 

timed automata = finite state machine + finite set of clocks. 

However, the main difference between timed automata and the present approach 
is that in the timed automata model the clock operations are indivisibly coupled 
with the transitions whereas here we present a clear separation of untimed system 
and timers with explicit communications between them. 

In this paper the decomposition result will be established for real-time spec- 
ihcations written as Duration Calculus implementables [21]. The decomposition 
algorithm reuses a technique of [6] for synthesising so-called PLC-Automata 
from a given set of Duration Calculus implementables. PLC-Automata are an 
abstract specihcation of polling controllers that can be easily implemented on 
Programmable Logic Controllers (PLCs) [5]. Whereas in [6] the timing condi- 
tions are an indivisible part of the PLC-Automata, the novelty of this paper 
is that the timers are kept as separate components that communicate with the 
untimed controller. We hope that this increases the conceptual clarity of the 
approach. 



2 Real-Time Specifications 

Our basic assumption is that a real-time system can be described by a set of 
time dependent observables obs which are functions 



obs : Time Dobs 
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where Time is a continuous time domain, here the nonnegative real numbers 
IR>o, and Dobs is the type or data domain of ohs. For example, a gas valve 
might be described using a Boolean valued observable 

gas : Time { 0 , 1 } 

indicating whether gas is present or not [ 20 ], a railway track by an observable 
track : Time {empty, appr, cross} 

where appr means a train is approaching and cross means that it is crossing 
the gate [ 19 ], and the current communication trace of a reactive system by an 
observable 

tr : Time Comm* 

where Comm* denotes the set of all hnite sequences over a set Comm of pos- 
sible communications [ 22 ]. Thus depending on the choice of observables we can 
describe a real-time system at various levels of abstraction. 

To describe properties of observables we use predicates of a suitable logic. In 
such a predicative approach the semantics of different syntactic descriptions of 
a real-time system will be given in terms of predicates in the same logic. The 
advantage is that then correctness can be expressed as logic implication between 
predicates. For any two syntactic descriptions termi and term2 we write 

termi term2 

if the semantic predicate associated with a termi logically implies the semantic 
predicate associated with term2. Conceptually, this means that termi satisfies 
or refines all the properties of term2, i.e. is correct w.r.t. term2. For example, if 
term2 is a specihcation spec and termi is a program prog then 

prog spec 

expresses that prog correctly implements spec. 

In general, the picture gets more complicated if the predicates associated 
with termi and term2 involve different observables, say termi involves more 
concrete observables c and term2 more abstract ones a. Then we need a linking 
invariant that relates the values of a and c. Such an invariant is known from 
data rehnement [ 7 ]; it can also be expressed as a predicate, say linka,c- Then 
correctness becomes 

termi A linka,c term2, 

i.e. the conjunction of termi and linka,c has to imply term2. 




2.1 Duration Calculus 
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In this paper we use Duration Calculus (abbreviated DC), a real-time interval 
temporal logic developed by Zhou Chaochen and others [24,21,9], as the predi- 
cate language to describe properties of real-time systems. This choice is mostly 
motivated by our previous experience and acquired fluency in this logic, but also 
by the convenience with which the interval and continuous time aspects of DC 
allow us to express and reason about reaction times of components. 



Syntax. Formally, the syntax of Duration Calculus distinguishes terms, duration 
terms and duration formulae. Terms r have a certain type and are built from 
time dependent observables obs like gas or track, rigid variables x representing 
time independent variables, and are closed under typed operators op: 

T ::= obs \ x \ op(r) 

where r is a vector of terms. Terms of Boolean type are called state assertions. 
We use S for a typical state assertion. 

Duration terms 9 are of type real but their values depend on a given time 
interval. The simplest duration term is the symbol I denoting the length of the 
given interval. The name Duration Calculus stems from the fact that for each 
state assertion S there is a duration term J S measuring the duration of S , i.e. the 
accumulated time S holds in the given interval. Formally: 

9 ::= £ \ JS \ OPreal(0) 

where opreai is an real- valued operator and 9 a vector of duration terms. 

Duration formulae denote truth values depending on a given time interval. 
They are built from the constants true and false, relations rel applied to duration 
terms, and are closed under the chop operator (denoted by propositional 

connectives opsooie, and quantihcation Q G {V, 3} over rigid variables x. We use 
F for a typical duration formula: 

F ::= rel{9) \ Fi ; F 2 \ opBooie{F) \ Qx.F 

where T is a vector of duration formulae. Besides this basic syntax various ab- 
breviations are used for duration formulae: 



point interval : [] 

everywhere: [5] 

somewhere: OF 

always : □ F 



def 



1 = 0 



def 

def 

def 



fS = £ A £>0 
true ; F ; true 
—I O ~^F 



Semantics. The semantics of Duration Calculus is based on an interpretation 
X that assigns a hxed meaning to each observable, rigid variable and operator 
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symbol of the language. To an observable obs the interpretation I assigns a 
function 

obsj : Time Dobs- 

This induces inductively the semantics of terms and hence state assertions. For 
a state assertions 5 it is a function 

Sj : Time Bool 

where Bool is identihed with the set {0, 1}. 

The semantics of a duration term 6 is denoted by I{0) and yields a real value 
depending on a given time interval [6, e] C Time. In particular, £ denotes the 
length of [6, e] and f S the duration of the state assertion S in [6, e] as given by 
the integral. Formally: 

X{£)[b,e] = e<4>6, 

mS)[b,e] = 

The semantics of a duration formula F denotes a truth value depending on I 
and a given time interval [6, e]. We write I, [b, e] |= T if that truth value is true 
for I and [6, e]. The dehnition is by induction on the structure of F . The cases of 
relations, propositional connectives and quantihcation are handled as usual. For 
example, I,[b, e\\= JS < k if the duration Sj{t)dt is at most k. For Fi ; F 2 
(read as F\ chop F 2 ) we dehne I, [6, e] |= Ti ; F 2 if the interval [6, e] can be 
“chopped” into two subintervals [6, m] and [m, e] such that I, [6, m] |= F\ and 
I, [m, e] 1= T 2 . 

Since in our application to the design of real-time systems the initial values of 
observables are important, we especially consider time intervals starting at time 
0 and dehne: a duration formula F holds in an interpretation I if T, [0, t] \= F for 
all t G Time. To formalise requirements in DC one states a number of suitable 
duration formulae and considers all interpretations for which the conjunction of 
the DC formulae holds in this sense. 



2.2 DC Implementables 

In the following we consider real-time systems that are modelled as (a collec- 
tion of) state machines with time dependent input in, state st and output out 
as illustrated in Fig. 3. Formally, such a system can be described using three 



in 




- out 



Fig. 3. State-based real-time system 





observables 
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m : Time Inputs, 

st : Time States, 

out : Time Outputs 

where Inputs, States and Outputs are finite sets. We use the following meta 
variables: a,b,... G Inputs and A,B,... C Inputs and p,q,... G States and 
P , Q , ... <Z States. We stipulate that the output depends only on the state by 
some function 

A : States Outputs. 

If the sets Inputs, States, Outputs are Cartesian products, we use subscripts to 
denote the component functions. E.g. for Outputs = Outputsi x ... x OutputSn 
we use outi : Time Outputs, to denote the *-th component function. 

We shall specify the behaviour of this type of real-time system using a subset 
of Duration Calculus called DC implementables and due to A.P. Ravn [21]. DC 
implementables make use of the following idioms where s, t G Time: 

- foUowed-by. F \ S] □-(C; [^5']) 

- timed up-to: F [5] {F A £ < t) [5] 

— timed leads-to: F <4-^ [5] '=^ (F A i = s) [5] 

Intuitively, F \ 5] expresses that whenever a pattern given by a formula F 
is observed, it will be “followed by” an interval where S holds. In the “up-to” 
form the pattern is bounded by a length “up to” s, and in the “leads-to” form 
this pattern is required to have a length s. Note that the “leads-to” does not 
simply say that whenever F holds then t time units later [5] holds, but it rather 
requires a .stability of F for t time units before we can be certain that [5] holds. 
It is this kind of stability requirement that ultimately enables a hardware with 
polling sensors to implement the “leads-to” . 

Implementables are certain formats of formulae about the observables in and 
st of a real-time system. In these formulae we use the following abbreviations: 

a abbreviates in = a 
A abbreviates in G A 
q abbreviates st = q 
-ig abbreviates st ^ q 
P abbreviates st ^ P 

The DC implementables are then of the form: 

— Initialisation: [] V [go]; true 

says that the system must start in a state where go holds. More precisely, 
each observation interval starting at time 0 is either a point interval or it 
has an initial (non-point) subinterval where go holds everywhere. 
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— Sequencing: [g] \q\/ P] 

says that being in state q the system can either remain in this state or at 
most evolve into a state in the set P. 

— Unbounded Stability: \^q]', [g A d.] \q Q] 

says that if the system enters state g while A holds, it is guaranteed to stay 
in g or to evolve to one of the states in Q. 

— Bounded Stability: [“ig]; \q A B] [g V _R] 

says that if the system enters state g while B holds, it is guaranteed for t 
time units to stay in g or to evolve to one of the states in R. 

— Timed Sequencing: [g A U] O-A [g V T] 

says that if the system is for t time units in state g with C being fulhlled, 
it is guaranteed to stay in g or to evolve to one of the states in T . 

— Progress: \qAD] <4-A [-ig] 

is the only form of implementable requiring that the present state g must be 
left: being in g while D holds the system must leave g within t time units. 

The direct dependence of output from the state can be specihed by the DC 
formula □ [ out = A(st)] , i.e. for every subinterval out depends on st as described 
by the function A. 

2.3 Parallel Composition with Asynchronous Communication 

We wish to model parallel composition of state machines such that part of the 
outputs of one machine serve as inputs of the other and vice versa. We stipulate 
asynchronous commumcatton, i.e. output of one machine can be produced at any 
time whereas reading this output as input by the other machine and reacting to 
it occurs somewhat later depending on the internal speed of that machine. 

Formally, parallel composition with asynchronous communication of two state 
machines A41 and A42 specihed in terms of observables ml, stl, out! and m2, 
st2, out2 is denoted hy Ail \\asyn A42. Semantically, the binary operator \\asyn 
is modelled by the conjunction of the DC implementables describing Ail and 
Ai2 and a DC formula link describing the communication links between Ail 
and Ai2. One extreme is a disjoint parallel composition without any commu- 
nication between the two state machines. This is specihed by link = true. The 
other extreme is a closed system where the output of Adi is the input of Ad 2 
and, vice versa, the output of Ad2 is the input of Adi. This is specihed by 

link = □([m2 = outl] A [ml = out2~\) 

provided that the value domains agree, i.e. Inputs2 = Outputsl and Inputsl = 
0utputs2 hold. When these value domains are Cartesian products, we can specify 
the communication links more selectively. For example, 

link = □[m2j = outlk] 



specihes that the A;-th output line of Adi is taken as the g-th input line of Ad 2. 
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Such equations between outputs and inputs of different machines model com- 
munication media without delays. Note that in DC it is also possible to specify 
more elaborate media with delays. However, in this paper we assume that the 
communication media are fast compared with the speed of the component state 
machines and that their delays can therefore be ignored. 



3 Timers 

We specify now a generic alarm clock timer for t seconds with a required reaction 
time of e seconds where G Time <^{0} are given time parameters. To this 
end, we specialise the three observables of a time dependent state machine (see 
also Fig. 4): 

in : Time {set, reset} 
st : Time {off , on, alarm} 
out = st 



Once an input signal set is received, the timer should proceed (after a reaction 



in st 

{set, reset} (off, on, alarm} 



-*■ out = St 



Fig. 4. Timer 



time of at most e) from its initial state off into the state on. After t seconds 
have elapsed the timer should proceed (after a reaction time of at most e) to the 
alarm state. In this state the timer stays until it receives an input signal reset. 
Then it returns (after a reaction time of at most e) to its initial state off. This 
typical behaviour is displayed by the timing diagram of Fig. 5. 

Additionally, we require that the timer can be reset at any moment. Thus 
the untimed transition diagram is as shown in Fig. 6. Using DC implementables, 
this diagram can be specihed as follows: 

— Initialisation: 

n V \off]; true 

— Sequencing: 



\off] \off y on] 

\ alarm] \ alarm V off] 
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Fig. 6. Timer transition diagram 



— Unbounded Stability: 

\^off]; \ off A reset] \off] 

[-lon]; \on A set] \on V alarm] 

[-lon]; \on A reset] \on V off] 

\-ialarm]] \alarmAset] \alarm] 

The timing conditions are not visible in the transition diagram in Fig. 6 but 
they can be conveniently specihed by the following DC implementables: 

— Bounded Stability: 

[-lon]; [on A set] \on] 
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— Timed Sequencing: 

[ on A reset] [ on V off] 

\on A set] <=H> \on V alarm] 

— Progress: 

\off A set] \^off] 

\on A set] [-lon] 

\on A reset] aIa [-lon] 

\ alarm A resef] aIa [-la/arm] 

Except for the set transition in the on state every transition is to be taken as 
fast as possible, i.e. within a reaction time of at most e. The set transition in 
state on is delayed by t seconds and thereafter can take place within further e 
seconds. In the subsequent sections we will reuse instances of this generic timer 
as components of real-time controllers. 

4 Decomposition: Examples 

In this paper we are interested in decomposing timed state machines specihed 
by a set of DC implementables into an unttmed state machine communicating 
asynchronously with suitable timers. Intuitively, for an untimed state machine 
there should be no time restrictions on the transition behaviour. Thus it seems 
that in terms of DC implementables this behaviour should be describable purely 
by initialisation, sequencing and unbounded stability constraints. 

However, then we also allow an idling behaviour where after some time there 
is no reaction to inputs any more. This does not correspond to the intended 
behaviour of an ordinary state machine in the presence of inputs. To avoid this 
we model untimed machines in a timed setting as machines where progress is 
guaranteed. This is achieved by requiring a uniform progress bound e for all 
transitions. Thus an “untimed” machine is actually modelled here as an eager 
machine that tries to perform its transitions as fast as possible, with an upper 
time bound of e. The role of the timers will then be to slow down the eager 
machines at appropriate moments. 

4.1 Gas burner 

At hrst we consider the gas burner example due to [20,10]. The gas burner is 
controlled through a thermostat, and can itself control a gas valve and monitor 
the flame. It can be modelled by the Boolean observables 

hr, gas, fl : Time {0, 1} 



which express the states of the thermostat (with hr standing for heat reguest), 
the gas valve and the flame. Besides several functional requirements there is 
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the safety requirement that gas must not leak for too long. Gas leakage can be 
modelled by the state assertion 

leak gas A ~^fl. 

Then a safety requirement is that for every time interval [6, e] of length e < 
30 the duration of leak within that interval is at most 4. In DC this can be 
conveniently stated using the integral: 

Safe □ (f < 30 ^ Jleak < 4). 

In [10] it is shown that this and other requirements are satished by a state- 
based gas burner controller GBC as in Fig. 7. Formally, the inputs, states and 



hr- 

fl- 



GBC 



■ gas 



Fig. 7. Gas burner control 



outputs of GBC can be represented by the following observables: 

m : Time {hr, -ihr} x {/?, -i/?} 
st : Time {idle, purge, ignite, burn} 
out : Time {gas, ~'gas} 

Note that input is modelled here by the Cartesian product of the Boolean ob- 
servables hr and /?. The transition diagram of GBC and how the output gas 
and -igas depends on the state is illustrated in Fig. 8. Note that the transitions 
between the states purge and ignite and between ignite and burn occur under 
every possible input value. All other combinations of input values that are not 
shown in the diagram yield idling transitions. For example, GBC idles in the 
burn state if the input is hr A /?. As with the timer in Section 3 this transi- 
tion diagram can be expressed using initialisation, sequencing and unbounded 
stability constraints. The timing conditions are stated separately. 

— Bounded Stability: 



\-ipurge]; \ purge] \ purge] 

\-iignite]', \ignite] \ignite] 



— Progress: 



\ purge] <^^4 \~ipurge] 
\ignite] .^4 \^ignite] 
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Fig. 8. Gas burner transition diagram 



For all other transitions we require a reaction time of at most e, for example 
[zd/eAhr] <=H> [-izd/e]. 

We now wish to make these timing conditions more explicit by decomposing 
the gas burner controller G-BC into an “untimed” controller communicating with 
suitable timers. In this case the resulting decomposition looks as shown in Fig. 9. 
The arrows between the component boxes indicate the communication links of 
the parallel composition. 

The original state purge of the gas burner controller in Fig. 8 has been split 
into two substates pi and p2 and the original state idle has been split into il and 
i2. Formally, this state or phase splitting can be justihed using a transformation 
rule of [23,22]. On the semantic level a linking invariant linkage is needed to 
specify the rehnement relationship between the “abstract” gas burner in Fig. 8 
and the “concrete” untimed controller in Fig. 9. If we take sta and stc as the 
names for the two state observables, the linking invariant can be expressed by 
the following DC formula: 

linkage — ^ ( [sC = purge] \ stc = pi V stc = 7 * 2 ] 

[sC = ignite] [sC = *1 V stc = *2] 

[sC = burn] [sC = burn] 

[sC = idle] \stc = idle] ) 

Thus whenever the original gas burner is in state purge the new untimed con- 
troller is in state pi or p2 and analogously for ignite and il, i2. The other states 
burn and idle are left unchanged. 

It is understood that in the states idle, pi, p2 the output is ~<gas and in the 
states burn, *1, *2 it is gas. Additionally, new outputs setSO, resetSO, sell, resell 
are generated in the new states pi, p2, il, i2 and used as inputs for the timers. In 
the graphic representation of the untimed gas burner controller the lower parts 
of the new states pl,p2, il, i2 display these new outputs. 
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Fig. 9. Gas burner decomposition 



The timers in turn directly output their states as described in Section 3. 
In this particular decomposition only the outputs offSO, alarmSO, offl, alarml 
of the timers are needed as inputs of the gas burner controller. For a proper 
functioning we have to assume that the progress bounds of all transitions the 
gas burner controller are e/5. The same is assumed for all transitions of the 
timer for 30 seconds except for the delayed set50-transition leaving state on30 
where the progress bound is 30+e/5 and analogously for the timer for 1 second. 

Communication between gas burner controller and timers proceeds according 
to the following protocol. When the gas burner controller is in state pi it outputs 
set30. This is an input to the timer for 30 seconds waiting in its initial state ojJ30. 
Within a time of e/5 the timer progresses to its on30 state. By the specihcation 
of the timer, we know that within the time interval [30,30 + e/5] progress to 
the state alarm30 occurs. This state information is output to the gas burner 
controller. Within e/5 seconds the controller progresses to its state p2 in which 
it outputs reset30 to the timer. The timer reacts within e/5 seconds to this 
communication by returning to its initial state ojJ30. This state is then output to 
the gas burner controller as an acknowledgement of the reset30 communication. 
Only after receiving this acknowledgement does the controller proceed (in at 
most e/5 seconds) to the subsequent state *1. 
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Altogether, we observe the following behaviour: whenever the gas burner 
controller is in state pi then after at least 30 seconds and at most 30 + e 
seconds the state *1 is entered. This corresponds to entering the original state 
idle and is thus exactly what is required. 



4.2 Filter 

This example is motivated by an industrial case study on tramway control [15]. 
For the safety of a single track segment sensors are needed to detect how many 
trams are in certain track segments. In particular, at most one tram is allowed 
to enter the critical single track segment at a time. 

A technical problem is that sensors may stutter, i.e. issue more than one 
output signal when in reality only a single tram passes the sensor. To avoid 
wrong data in the drive controller for the trams a suitable filter is needed for 
each sensor. We consider here a hlter FES reading input values 0, 1 and E (for 



in 

lO.I.E) 



FES 



- out 
INXXI 



Fig. 10. Filter 



error) from a sensor called ES (for enter single track) and transforming them 
into output values N (for no tram), T (for tram) and X (for exception). This is 
indicated by Fig. 10 and the corresponding observables: 

in : Time — ;> {0, 1, A} 
st : Time {A, T , X} 
out = st 

The desired real-time behaviour is shown in the timing diagram in Fig. 11. When 
an input 1 from the sensor ES is detected the hlter FES should (after a reaction 
time of at most e) output T (tram detected). In the subsequent 5 seconds the 
hlter should ignore any further stuttering of inputs 0 or 1 from the sensor and 
stay with output T. We stipulate that after 5 seconds any stuttering of the 
sensor has ceased so that the hlter (after a reaction time of at most e) returns 
to output N . Afterwards any further input 1 will be treated as signalling a new 
tram approaching thus causing output T again. 

There is one input though which the hlter FES must not ignore. That is the 
input E indicating an erroneous sensor value. Then the hlter should proceed 
(after a reaction time of at most e) to (state and) output X. The transition 
diagram (again without showing the idling transitions) is given in Fig. 12. 

The timing conditions formalising the desired behaviour are as follows. 
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Fig. 11. Filter requirement 




Fig. 12. Filter transition diagram 



- Filtering: \^T]; [T A (0 V 1)] \ T] 

specifies that if a tram has been detected (output T) then this output should 
stay for the next 5 seconds provided only 0 or 1 occur as inputs. 

— Error handling: \ T A E] <tl-7> [~'F] 

specihes that if an error E has been sensed, state and output T should be 
changed within e seconds. 

Again we wish to make these timing conditions more explicit by decomposing 
the above Rlter EES into an “untimed” controller communicating with a timer 
for 5 seconds. In this case the resulting decomposition looks as shown in Fig. 13 
where e/5 is required as the new progress bound for all transitions. Note that 
this decomposition is more complex than that of the gas burner GBC because 
here the timer may be reset before it elapses and the alarm sounds, viz. whenever 
input E is detected. 

5 Decomposition: Algorithm 

So far we have seen two examples for decomposing the specification of a real- 
time controller into an untimed controller communicating with suitable timers. 
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Fig. 13. Filter decomposition 



The question is whether this decomposition works in general. In this section we 
give an affirmative answer for the case that the specffication is given as a set 
SPEC of DC implementables. We stipulate that these implementables specify 
the desired behaviour of the observables m and st of a real-time system as in 
subsection 2.2. 

Based on the synthesis algorithm of [6] we describe now a decomposition 
algorithm that realises the following transformation where \\asyn is the parallel 
composition based on asynchronous communication described in subsection 2.3: 




Note that the decomposition transformation states a rehnement result, not a 
semantic equivalence: the parallel composition of the untimed controller with 
the timers refines the original specffication SPEC . 

The notion of consistency deals with the question whether the requirements 
stated in SPEC contradict each other. For example, a progress requirements 

\p A a] <t|q> [-ip] 

stating that under input a the system should leave state p within 5 seconds 
would be inconsistent with a bounded stability 

[-.p]; [p A a] [p] 






482 E.-R. Olderog and H. Dierks 

stating that under the same input the system should stay in state p for at least 
6 seconds. 

Idea of the algorithm. Assume now that SPEC is a set of DC implementables 
consisting of an 

— Initialisation: [] V [go]; 

and for each q G States of constraints of the form 

— Sequencing: [g] \q\/ P] 

— Unbounded Stability: [“ig]; [g A Af\ [g V Qf\ for i £ / 

<s' 

- Bounded Stability: [~'g]; [g A Bj] [g V Rj] for j E J 

- Timed Sequencing: [g A Ck\ \q V Tk] for k E K 

p 

- Progress: [g A Df] [-ig] for I E L 

Then the decomposition algorithm proceeds - for each state g - in four steps. 

Step 1. Sort the set of stability time bounds {sj \ j E J} = {si, S 2 , •••, ■Sn(<i')} 
such that 

0 = So < Si < «2 < ••• < S„(g) < s„(g)+i = oo. 

Step 2. Construct - by scanning the sequencing, unbounded stability, bounded 
stability, timed sequencing and progress constraints - a time dependent transi- 
tion table for the state g: 





Si 








Sn(q) 


CXD 


a 






Sq{a, s,) 








b 





























An entry 5q[a, sf) in the table denotes the set of all successor states of g under 
input a during the time interval (sj_i,Sj] where time is measured from the 
moment that state g is entered. Note that progress constraints are the only 
form of constraints that can remove the state g from the set Sq{a, s,)', all other 
constraints allow the possibility of staying in g and thus keep g E Sq{a, s,). If 
removing g yields Sq{a, s,) = 0, an inconsistency of the specihcation SPEC of 
the form illustrated above has been discovered and the algorithm stops with an 
appropriate error massage. 

Otherwise we continue by calculating constraints for the allowed reaction 
time e to inputs of the decomposed system. This is done by comparing the 
required progress times with the stability times. Consider a progress constraint 
of the form 

\q A De] hg]. 

If t^ E (sj_i,Sj] then we generate the inequality e < Choose an e 

satisfying all these inequalities as the reaction time. 
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Step 3. Split q into a cascade of substates q\, q2, qn(q)+i- As illustrated 
in subsection 4.1, such a splitting is formalised by a suitable linking invari- 
ant. To describe the transition relation from these substates consider some 
t G {1, ..., n[q) -\- 1}. For each input a we distinguish two cases. 

Time progress case: q G Sq{a, s,) 

If * < n{q), we add an a-transition from g, to q,+i and require that this transition 
is delayed (by a corresponding bounded stability constraint) for s, sec- 

onds. After this stability time has passed, progress is required to occur within 
e seconds. Otherwise, i.e. if * = n{q) + 1, we add an idling a-transition from 
qn{q)+i to These transitions model time passage without leaving the 

original state q. 

Exit case: q ^ Sq{a, s,) 

Take one state q' G dq(a,Sj) and add an a-transition from g, to g(, the hrst 
substate of the cascade generated for g'. This transition models the exit from g 
to g'. 



Step Introduce timers and suitable communications with them. More specih- 
cally, for each of the substates g, with t G {1, ..., n(g) -f 1} we add a new timer for 
seconds. Given g, we perform the following state splitting to achieve the 
asynchronous communication with this timer. Each time progress a-transition 
from g, to gj_|_i is replaced by 




Each exit a-transition from g, to g( is replaced by 
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and for each g,2 generated by a replacement of some time progress transition 
the new transition 





is added. Altogether the replacement looks as in Fig. 14. The state splittings 




Fig. 14. Overall replacement in the asynchronous setting 



shown here and in Step 3 are formalised by a suitable linking invariant linkage, 
the one mentioned in the statement of the decomposition rule. 

To guarantee the original progress constraints we take e/5 as the new progress 
bound for all transitions. Note that the stability constraint introduced in Step 3 
is implemented by the stability of the timer for s, seconds after the input 

set[si and by the corresponding delay of the input of a/arm(sj 

for the controller component. 




Decomposing Real-Time Specifications 485 

6 Decomposition based on Synchronous Communication 

It is interesting to note that the decomposition result can also be adapted to case 
of synchronous communication via directed channels as in CSP [12] or OCCAM 
[13]. Semantically, timed systems based on synchronous communications can be 
modelled by introducing two specihc observables [22], a time dependent trace 

tr G Time Comm* 

where Comm* denotes the set of all hnite sequences over a set Comm of possible 
communications, usually structured as pairs [ch, m) where ch is an element of a 
set Chan of communication channels and m is an element of a set of messages, 
and a time dependent ready set 

R e Time V{ Chan). 

Intuitively, ch ^ R means that the component is willing to communicate along 
channel ch. 

If two components of a system are connected by a directed channel ch and 
both are ready for communication, one for output and the other for input, the 
synchronised communication can occur. We do not require it to occur exactly at 
some point of time but allow that it happens within some interval bounded by 
a latency function 

lat : Chan{A) IR>o. 

Intuitively, lat{ch) = t means that if the partner components are ready for t 
time units to communicate along channel ch then a communication will take 
place. Strictly speaking, this amounts to requiring the existence of a certain 
channel scheduler in the underlying hardware on which the constructed real- 
time programs are to run. 

In the setting of synchronous communication a timer for t seconds needs 
only two states, Ojff and on (see Fig. 15). It has three communication channels 
of message type signal for pure synchronisation without value transmission, the 
input channels reset and set, and the output channel alarm. Following the CSP 
conventions, we use ? to indicate input and ! to indicate output. 

Initially, the timer is in state off. On input of a communication along the 
channel set, it proceeds within a time of lat(set) to state on. In on it stays for 
at least t seconds. After t seconds it is ready for an output along the channel 
alarm. In both states the timer is ready for an input along the channel reset. 
After that communication the timer returns to its initial state off. 

How to achieve a decomposition based on synchronous communication ? Let 
us hrst look at the gas burner example again (see Fig. 16). When the untimed 
controller component of the gas burner is in state pi it is ready for output along 
the channel set-30. The timer for 30 seconds is already waiting for input along 
this channel. After a time of at most latfsetSO) this communication is actually 
occurring, thus advancing the controller component to state p2 and the timer to 
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Fig. 15. A timer in a synchronous setting 



state on. In state p2 the controller component is ready for input along channel 
alarmSO, but the timer delays its readiness for this communication by 30 seconds. 
Then after at most lat{alarm30) this communication occurs and advances the 
controller component to state *1 and resets the timer to its initial state ojf. Now 
an analogous communication behaviour with the timer for 1 second occurs. By 
choosing the above latencies all as e/2, the required timing conditions concerning 
the original purge state, here split into pi and p2, are met. The stability of 
30 seconds is guaranteed by the delay between the communications set30 and 
alarmSO] the progress of 30 + e is guaranteed by the choice of the latencies. An 
analogous argument holds for the original idle state, here split into il and i2. 

Note that in contrast to the asynchronous communication we need not specify 
a protocol for sending and acknowledging communications but exploit that each 
synchronous handshake communication between untimed controller and timer 
provides simultaneous information for both components. 

The general case is more complex as the gas burner example and is dealt 
with in the following. 

Algorithm. We reuse the first three steps of the decomposition algorithm de- 
scribed in Section 5. Only the final step needs to be adapted. 

Step 4 - Synchronous communication. Introduce timers and suitable synchronous 
communications with them. More specifically, for each of the substates g, with 
i G {1, ..., n[q) -\- 1} we add a new timer for s, seconds. Given a time 

progress a-transition from g, to qi+\ and an exit 6-transition from g, to g(, we 
replace these transitions by the part shown in Fig. 17. As latency we take e/3 
for all communication channels with the timers. Also we need e/3 as the new 
progress bound for all other transitions. Together this guarantees the required 
timing conditions. 

7 Conclusion 

In this paper we have presented an algorithm for decomposing a real-time system 
specified in a certain subset of Duration Calculus, the so-called implementables 
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Fig. 16. The gas burner in a synchronous setting 



of [21], into an untimed controller communicating in an asynchronous manner 
with timers. The result was established in the setting of continuous time and 
non-zero reaction times for the system components. 

For simplicity we used here a separate timer instance for each required de- 
lay time t. In reality one will use (and reuse) programmable timers where t is 
transmitted with the initial set communication. The decomposition shown in 
this paper restructures a system into a possibly large untimed system commu- 
nicating with small timer components. For future work it is desirable to search 
for more flexible decomposition techniques. We hope to obtain more detailed 
insights by analysing case studies of real-time systems like the production cell 
[18,4] and the tramway control [15]. More generally, it would be desirable to 
have techniques for correctly decomposing real-systems into different views like 
a process-oriented, a data-oriented and a time-critical view. 
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1 Introduction 

Synchronous languages [1,4, 7, 9] address the specihcation and programming of 
reactive processes, i.e. processes which continuously respond to stimuli at a rate 
determined by the environment. The synchrony hypothesis [1] states that a pro- 
cess is fully responsible for the synchronization with its environment, that is: 

— event synchronization: the process is always able to react to events of the 
environment at a rate determined by the environment; 

— response synchronization: the response synchronizes properly with the envi- 
ronment, i.e., the time elapsed between a stimulus and the response of the 
process is short enough (relatively to the dynamics of the environment) so 
that the environment is still receptive to the response. 

Furthermore, the behaviour of a process should be reproducible with regard to 
input events, or, in more technical terms, deterministic. Both these requirements 
are prerequisites for the dependable service of a process, for instance as controller 
in a safety-critical environment such as an automobile, an aircraft, or a power 
station. 

Available synchronous formalisms are quite different in focus and style: 

— Data flow languages such as Lustre [4] or Signal [7] are particularly suited for 
representing periodic behaviour as is typical for “continuous” computation 
of sensor/actuator data, 

— state-based languages such as Esterel [1] are better suited for “spontaneous” 
control behaviour, e.g. that of a mouse or a track pad. 

— Graphical languages such as Statecharts [5] or Argos [9] are useful for struc- 
turing as, e.g., representing “change of mode” of a continuous system. 

Existence of several synchronous formalisms is rather an advantage than a draw- 
back: the formalisms are complementary, addressing different aspects of use. For 
instance, we may distinguish several modes of operation in a control application; 
a start mode, normal continuous behaviour, exception mode, and a termination 
mode. Lustre is most adeaquate for modelling the normal continous mode, and, 
maybe, an exception mode if its behaviour is cyclic, Argos is well suited to 
model change of mode, while Esterel may be useful for the start and termina- 
tion modes which typically involve some sequential processing. Real applications 

* The work was partially funded by the Esprit LTR Action SYRF, “Synchronous 
Reactive Eormalisms” (Esprit Project 22703). 

W.-P. de Roever, H. Langmaack, and A. Pnueli (Eds.): COMPOS’97, LNCS 1536, pp. 490-514, 1998. 
Springer-Verlag Berlin Heidelberg 1998 
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address such issues, hence a combination of formalisms should prove itself to be 
useful which allows the user freely to merge the different points of view. This is 
an issue we address in this paper. 

The different styles of formalisms are reflected by the different styles of se- 
mantics and of implementation: 

— Data-flow formalisms are based on a “flow” semantics where each signal is 
related to a trace of values 



Vo Vl V2 ... 

Data flow programs constrain these traces. They essentially compile into 
(dehnitional) equation systems with additional registers. This compilation 
process amounts to a great extent to a clock resolution calculus. 

— On the other hand state-based languages typically rely on an structural 
operational semantics. For compilation, these are symbolically presented by 
purely boolean equation systems, with additional boolean variables inserted 
to drive memory operations on data, these operations being stored in an 
action table. This corresponds to a separation between control and data 
flows. 

Combination of formalisms presumes integration of both semantics and com- 
pilation schemes. This report sets up such a semantical framework as well as 
a language of reactive processes on which the translation schemes of the Syn- 
CHRONIE Workbench (SWB [14]) are based. In particular, some semantic in- 
variants are specihed which prove to be benehcial for a smooth integration. 
Section 2 addresses the semantic issues. In Section 3 we introduce an language 
of synchronous automata, our presentation of reactive processes, discuss invari- 
ants, and we present in Section 4 particularly efhcient translation schemes for 
control-based code. Section 5 deals with declarative code, while Section 6 is con- 
cerned with combination. Much of the work is based on and extends [12] and 
[8], as well as [11]. Our style is informal in order to present the ideas in as little 
space as possible; we assume some familiarity with synchronous languages. 

2 The Semantic Framework 

2.1 The Model 

Behaviour manifests in what we are able or want to observe. We classify obser- 
vations by attributing a name we refer to as a signal. A signal s may be present 
having a value taken from a set V, or it may be absent. Let S be the set of all 
signals. 

We are concerned with linear time only as modeled by the ordered set uj of 
natural numbers. A trace of a signal s is specihed by a subset C w, the 
frequency of and a valuation : !d — ;> V to a set of values. A system trace d 
consists of a set of signal traces {ds|s G S}. We use to denote the domain 
of system traces, and speak of synchronous behaviour rehecting awareness of 
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“global” time which allows to reason about the presence and the absence of a 
signal. 

A system trace S G is called a flow if !(i := IJ !(is is downward closed, 
i.e. m G !(i if n G !(i and m < n. The idea is that passing of “time” is bound to 
an event, i.e. the presence of at least one signal. We refer to a set of flows as a 
process. Note that every set T C A^ of system traces determines a set T ^ of 
those flows which are in T. The domain Vroc of processes will be the semantic 
domain for synchronous languages. 

Reflecting the synchrony hypothesis we require processes to be reactive, and 
deterministic in the sense below: 

Let T C be a set of input signals, and let T G A^ be a set of (admissible) input 
flows. We say that a process V is reactive with regard to T if Vj = T where 
Vj = {{(is I s G T} I (i G V} is the projection of V to input signals. Further, a 
process V is deterministic if \{5 \ 5j„ G T}| < 1. In other words, a process 

is reactive and deterministic if, for every input flow d G T, there is exactly one 
flow S' such that d = . 

We avoid explicitly discussing typing here (and elsewhere) but assume that 
all the relevant entities are (well-) typed in that the values of a signal s are 
chosen from a specihed set Vg. In particular, we assume existence of a type bool 
of Booleans with a constants true and false, and existence of a type unit with 
the only value being void. In the latter case we speak of a pure signal which is 
fully specihed by its frequency. 

Synchronous data-flow languages impose constraints on signal traces by lift- 
ing relations on data to traces: 

R{Si,...,S„) iff Vi Gw. [(i?(di(i), . . .,d„(i)) i e Q !dj)]. 

where R <ZV" . Such a lifting is called strong if additionally 

n ^ u 



If this isn’t the case, we speak of a weak lifting. Strongness implies that all traces 
in a relation are of the same frequency. A relation is typically obtained by lifting 
a functional equation 



S = f{Si, . . .,d„), 

where / : V" — ;> V is a function (we assume equality d = d' to be a special case 
with / being the identity function). 

The more interesting aspect of synchronous data-how languages is that they 
provide a variety of operators for manipulating time indexes: 

memorisation S' = pre(d) IS' = !d 

_ f init if i = 0 

^ { d(max{m G !d | m < i}) else 
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S” = S -> s' \5" = \5' n !(5 



r (5(i) if i = min !(i 

else 



downsampling 


S' = S when /3 


'.S' 

S'{i) 


upsampling 


S" = (i default S' 


\S" 






s"(i) 



!(i n !/3 
!(i U '.S' 

( S{i) if i e !(i 

(i'(i) else 



where /3 is of type bool, and where init is an initial value (of appropriate 
type). All operators except for the default operator are required to be strong. 
There is nothing particular about our choice of operators. Synchronous data flow 
languages such as Lustre [4] or Signal [7] support a different choice. 

Elementary declarative programs consists of set of clauses which are inter- 
preted disjunctively, plus a declaration of of input, output, and local signals, 
e.g. 



node raising_edge (x : bool) (y : bool) ; 
let 

y = false -> x and not pre(x); 
tel 

Notation and style considerably differ according to a specihc language. 



2.2 The Operational Model 

We complement our semantic model by an operational model which is as simple: 
Let synchronous computation be specihed by a labeled transition system V of 
the form 




where cr, a' are states, and where if 0 indicates which signals are present when 
changing state. We refer to E as an event, and to single transition as an instant 
of time. The set E' specihes which signals are emitted by T* at a given instant. 
We require that E' C E, i.e. the output event is part of the overall event. This 
property is referred to as consistency. 

An event is specihed by a partial function E from N to V which we present 
by its graph, i.e. the set E <Z S x V such that v = v' whenever (s, v), (s, v') G E 
(which justihes the subset notation above). Let denote the set of partial 
functions from N to V. 

States are of the form cr G where 77. is a hnite set of registers (where 
n 77. = 0). Registers behave similar to signals; a register r G 77. may be active 
having a valuation G V, or it may be inactive. The difference between signals 
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and registers is that signals are set for the present instant while registers are set 
for the next instant. 

In other words, our operational model is a Mealy machine with a particular 
structure of events and of states. We note that every sequence 



o-Q 







of reactions specihes a flow S G such that n G Ids and Sg (n) = v iff (s, v) (E En ■ 



2.3 Synchronous Automata 

Favourite synchronous languages such as Esterel [1], or Argos [9], the syn- 
chronous variant of Statecharts [5], are closely related to this operational 
model. We present our own brand of very elementary language, named syn- 
chronous automata, for programming such machines. Synchronous automata will 
serve as an intermediate layer for compilation schemes. 

A synchronous automaton V consists of a set of actions of the form 

if (f) then x = c 

where * is a name, e is a data expression, and (f) is a pure (signal) expression 
(of appropriate form). For the semantics, let an environment be dehned to be a 
union cr U E with cr G V^, and E . The notation is justihed because of the 
isomorphism K, x Vf . Then 

(*, e((T U E)) E cr' yj E' iff a yj E \= <j) 

“if the condition (f> holds in the environment cr U E E , the the register or 

state X is set with the value obtained by evaluating e in the environment cryj E” . 
A synchronous component is a synchronous automaton wrapped with a header: 

syn_aut raising_edge (a,[3:unit;x:bool)(y:bool); 

register prejx:bool; 

let 

if a V [3 then prejx = x; 

if a then y = false; 

if [3 then y = x and not prejx; 

tel 

recodes the declarative raising edge program. The input parameters a and [3 
explicitly represent the time index in the declarative model, a is true at the very 
hrst instant of time, and [3 is true at all instants of time except for the hrst 
one. Hence a\/ [3 represents the whole time scale uj . With regard to the original 
program, the pre-operator on time indices has been replaced by a register which 
stores the previous value. 

To give another example, let us consider the Esterel program 
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module one_bit (event : unit) (on: unit) ; 
loop 

await event; 
await event; 
emit on 
end 
end 

If started, after each second “event” the signal on is emitted. A corresponding 
synchronous automaton is specihed by: 

syn_aut oneJ>it (a,(3 ,event:umt)(on:umt); 

register hi,h 2 .'umt; 

let 

if a \/ ( event A /3 A h 2 ) \/ ( not 
event A [3 A h\) then h \ = void 
if (event A (3 A h\) \/ (not event A 
(3 A h 2 ) then h 2 = void 
if event A (3 A h 2 then on = void 
tel 

The same automaton implements the Argos diagram below: 

/3-event/ 



'2 

/3.event/on 




2.4 Reactivity and Control 

For the semantics of synchronous automata, we require (for the time being) 
that all actions are consistent: two actions {if <f) then x = e) and (if (>' 
then x' = e') are consistent at cr U E if e{cr U E) = e'((T U E) whenever x = x' 
and cr U E \= (f) and a LI E \= (>' . Then a synchronous automaton determines a 
transition function 

■p> . yn+S yTJ 

and an output function 

V' : -A Vf . 

The reaction of an automaton at an instant may depend on the signals emit- 
ted by itself. Hence, given some set E of “inputs”, the reaction should be stable 
in that 



stability V' {<T U E) E E . 
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holds. Moreover, we would like to distinguish between signals E which are broad- 
cast by the environment, and those signals E' which are emitted by V . We say 
that a reaction is coherent if each signal is either an “input” or emitted by V'. 

coherence Given an “input” E ^ S, a reaction E' ^ S is coher- 
ent if E C E' , E' is stable, and if E' EUE') C 

E. 

We expect an automaton to react to every input coherently and reproducible: 

reacUmty For every input, there exists a unique^ coherent re- 
action. 

Given reactivity, the automaton P dehnes reaction functions P' and P'^ of the 
same arity as P' and P'^ such that P'{E) = E' and P'^[E) = P'^[E') where E' 
is the unique coherent reaction with regard to the input E. The automaton P 
may be considered as presenting these reaction functions. Of course, not every 
automaton is reactive in that P may fail to exist. It will be a matter of causality 
analysis [13] to weed those which are not. 

So far, the assumption is that, once started, a system reacts forever. For 
structuring purposes we would rather have that (sub-) systems may be active 
or inactive, or are in control or out of control, at different stages of evolution. 
We relate control to a particular set of pure registers C, the control registers, 
and stipulate that a synchronous automaton is out of control if none of these 
registers is active. Then the automaton should not be able to react except for 
the trivial reaction. The idea is captured by the control axiom: 

control P'^ [(7 yj E) = ib and P'[a-yjE) = 0 if cr fl C = 0. 

Note that a program such as the raising edge program does not a priori satisfy 
the control axiom. There is no obvious candidate for a control register. In fact, 
“control” is external here, hidden in the frequency y = a V /3; the automaton 
computes only if y is present, hence the respective parameters. 

2.5 The Initial Reaction 

So far, synchronous automata only specify ongoing behaviours. Some activation 
mechanism is needed. We assume that the reaction of a system is immediate if 
“switched on” , hence assume a initial reaction (rather than an initial state as 
in traditional automata theory). The initial reaction should not refer to some 
previous state in that both the initial transition function 

' a ■ Vo ^ Vo 

and the initial output function 

■p' • y<s y<s 

' a ■ Vo ^ Vo ■ 

^ The condition may be weakened to existence only. We then speak of a non- 
deterministic system. 
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do not depend on registers. 

Syntactically, let Va C V, and V p = V OVa- We require that 

zmUaUzaUon Va{E) UV'q,{E) 7 ^ 0 ^ (a U E) U E) = 0 

for all cr £ and if G Vf ; either an initial reaction takes place exclusively, or 
an reaction depends on a previous state. Note that cr = 0 is a state which is, 
however, persistent due to the control axiom. 

We will later use a specihc pure system signal 

a - start 

which determines the initial reaction of a synchronous automaton. We than can 
rephrase initialization to 

initialization a => ~<\l C 

3 A Language of Synchronous Automata 

3.1 Some Basic Operators and Predicates 

We introduce an intermediate layer of operators on synchronous automata each 
of which reflects semantic as well as programming concepts. A hrst dehnition 
of such a language has been given in [ 8 ] which carefully elaborates the choices 
made. Here we dehne a slightly revised version. 

As a hrst step, we factor synchronous automata into a pure control part, 
which we refer to as Boolean automaton and an “action table” . All registers of 
the Boolean automaton are control registers. The two subautomata communicate 
via pure signals only. Hence we adopt a control-based view, but this does not 
restrict generality. Let V from now on range over Boolean automata. 

Boolean automata will be enhanced by three predicates: 

V.uj - termination 
V.T - interrupt 
V.rj - control 

which are synthesized. The predicate V.uj evaluates to true if P terminates, V.t 
evaluates to true if V issues an interrupt, and V.rj evaluates to true if V is in 
control. We expect that the invariant 

termination V.uj ^ ->V.rj' 

holds, where we use the notation . . .' to refer to the value at the next instant; if 
V terminates all control registers become inactive. 

Now the most elementary of our operators are 

s <= (f) <7>emit the pure signal s 
h <- 4> activate the control register h 
nothing <t4>which does nothing, but terminates 
V y Q <^the union of V and Q, and 
(j) /\V <^guarding V by the condition (f), 
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where if (f) A ip then * = e is an action of <p AV if if ip then * = e is an action 
of V. We stipulate: 

— Emittance is defined by 

s <= (p if (p then s = void. 

It terminates instantaneously, but neither raises an interrupt, nor keeps con- 
trol: 

(s <= p).uj =U 
(s <= P).T = ff 
(s <= P).T] = ff 

— Activation is dehned by 

h <- p if p then h = void. 

If the register is activated then control is kept, and no termination takes 
place. No interrupt is raised: 

{h <= p).uj = -ih 
{h <= P).T = ff 
[h <= p).rj = h 

— nothing has the empty set of actions 

nothing :A> 0, 

and it terminates instantaneously 

nothing.uj = it 
nothing. T = ff 
nothing. g = ff 

— Disjunction means disjunction: 

{V W Q).lv = V.oj V Q.lv 
{V V Q).t = V.T V Q.t 
{V \/ Q).g = V.g V Q.g 

— Guarding raises an interrupt signal, and restricts termination, but does not 
affect control^: 

{p AV).oj = p A V.oj 
[p AV).T = p 
{p AV).g = V.g 

^ This abstracts a mechanism introduced by Reinhard Budde for compilation of syn- 
chronou.sEifel [3] 
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Further, we have already introduced a number of operators implicitly: 

Va - the initial reaction 

V P - the ongoing reaction 

V'^ - the transition function 

V' - the output function 

This completes the set of basic operators. 

A number of familiar operators are easily specihed in terms of these base 
operators. We give a couple of examples using our syntactical convention that 
the system signal a specihes the hrst reaction. 



emit s = s <= a (1) 

hali^ = h <- a V h (2) 

start V at (j) = {(j) AV a) V p (3) 

if (f) then V else Q fi = {start V at (f)) V (start Q at -k/)) (4) 

if (f) then V fi = if f then V else nothing fi (5) 

•p ; Q = 'P \/ (start Q at V.oj) (6) 

loop V end = V W (start V at V.uj) (7) 

terminate V if (f> = V' \/ (^(f> A V'^) (8) 

terminate Vif next f =V' W V (^f A (9) 

cancel Vif 4> = ^4> AV (10) 

cancel V if next (f) = V a 'd (^f p) (11) 

await (f) = cancel halt^ if f (12) 

await next f = cancel halt^ if next f (13) 

do Vwhen f = (f A V) \/ (^f A KEEP) (14) 

do Vwhen next f = Va V (f AV p) M (^f A KEEP) (15) 



where KEEP = {h <- /i | /i C C}. In words: 

1. The signal s is emitted in the hrst instant only. 

2. The control register h is activated in the hrst instant, and then kept acti- 
vated. 

3. V starts only if the condition <f> holds. 

4. If (f) holds then V is executed, otherwise Q. 

5. obvious. 

6. V computes hrst. If V terminates, Qstarts to compute. 

7. V is immediately reinitialised if it terminates. 

8. V looses control if <f> holds (weak preemption) 

9. As above but preemption does not take place in the hrst instant. 

10. As (8), but signals are not emitted either (strong preemption) 

11. As above but preemption does not take place in the hrst instant. 
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12. Whenever the control register h gets control, control will stay with h till the 
condition (f) holds. If (f) holds in the hrst instant, h does not get control. 

13. As above, but h gets control in the hrst instant whether or not the condition 
holds. 

14. V is down sampled in that V computes only if the condition (f) holds, oth- 
erwise the present status of control registers is kept. Note that the process 
is out of control instantaneously if the condition (f) holds in the hrst instant, 
but does not terminate. 

15. Here V is started in the hrst instant whatever (f) says. 

With regard to preemption it may be worthwhile to observe that the diagram 



signals at 
first 
instant 


signals at 
later 
instants 


registers at 
first 
instant 


registers at 
later 
instants 



displays all the preemption strategies of our model. Overall there are sixteen dif- 
ferent strategies starting with no preemption at all up to preemption of all signals 
and registers. The latter is the strategy specihed by the operator cancel V if (f). 
A modihcation is to cancel only at later instants which covers the two squares 
on the right, and which more or less corresponds to the do .. . watching mech- 
anism of Esterel. Preemption by termination does not affect signals, hence 
covers only the two lower squares, being a mild variant of the trap-statement of 
Esterel. If applied only in later instants, termination covers exactly the lower 
square on the right. The latter corresponds to the preemption mechanisms used 
in Argos. 

3.2 Concerning Compositionality 

Our set of base operators has several defects with regard to compositionality, 
meaning that our semantical requirements / invariants are not preserved. 

Most notably, disjunction does not preserve reactivity: e.g. 

(a <= b) V {b <= a) 

is not well behaved though its components are. This is well known and inherent, 
and there is no way to for a compositional analysis of reactivity. Hence we 
abandon any hope of a compositional solution but use global causality analysis 
as everybody else does. 

However, disjunction does not preserve the control axiom either: e.g. 

[h <= U) V (a <= U) 

terminates though it keeps control. In fact, disjunction is only a very useful 
auxiliary operator, and the basis of 
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V® Q - parallel composition 

where V ® Q is equivalent to V V Q except that we have a new termination 
condition: 

{V ® Q).ui = (V.ui A Q.lo) V (V.ui A V .t] A -'Q.ty) V {Q.lo A Q.rj A -^V.ri) 

The parallel composition of V and Q terminates if both automata terminate at 
the same instant {V.uj A Q-Uj), or if Q has already terminated and V terminates 
{V.uj A V.rj A -'Q.rj), and vice versa. As a point of hue tuning, observe that, in 
the latter cases, V must be in control (i.e. V .rj holds); otherwise, e.g., V may 
terminate in the hrst instant, hence the parallel computation as well since Q.rj 
must be false because of the initialization axiom. However, Q may gain control 
as in {h <= it) V (a <= it) . 

As a kind of dual, we have 

V® Q - choice 

where V ® Q is equivalent to T* V Q except that we require that 

only one of T* or Q can obtain control. We can now state a hrst “composition- 
ality” result: 

Proposition 1. The operators s <= (f>, h <- (j>, nothing, V ®Q,V 0 Q, and 
t\V preserve the control axiom. 

Having in mind this proposition, the resulting strategy should be to replace the 
ill-behaved P V Q by the well-behaved V ® Q or V ® Q exploiting 

Lemma 2. Va T V ^ = Va ®V ^ 

Inspection of the derived operators above proves that we could have used 



start V at (f> = {(f> A Va) ®V 

if (f) then V else Q fi = A Va) ® V {^<f> A Qa) V Qrj 
V ; Q = V ® [start Q at V.ui) 
loop V end = [V ® [start V at V.ui) 
terminate Vif f = V' ® [^f A V'^) 
cancel Vif <f> = -xf A V 
terminate Vif next f = v'^ ® ® ® 

cancel Vif next <f> = Va 0 [~'4’ jj) 

do Vwhen f = [(f A V) ® [^f A KEEP) 
do Vwhen next <f> = Va 0 (<?i A P^) 0 [^f A KEEP) 

rather than the original dehnitions. 
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4 Adding Efficiency 

4.1 System Signals 

Implementation of a concrete languages has one other prerogative beside seman- 
tic transparency: efficiency of the resultant code in terms of time and space. The 
operators on synchronous automata may obviously fail to produce such code. 
However, concrete languages use the operators in rather specffic ways. If we are 
able to discern these specffic patterns, and to implement them efficiently, we 
may get the best of both worlds, both semantic transparency and efficiency of 
the generated code. 

We use particular pure signals, so-called system signals, to represent semantic 
concepts in a convenient fashion. One of these signals has already been intro- 
duced, the start signal a. The idea of a is to specify the notion of the hrst instant, 
hence a corresponds to the operator V a'- let T* be a synchronous automaton. 
Let us dehne 



Va--=V\j!IC\ and 

where V[ff /a] states that we substitute ff for a on the right hand side of actions 
in V . Similarly, V\jf jC\ states that jf is substituted for each of the control 
registers. We give an example rather than a formal dehnition: 

hi <- a V (event A /3 A h'2) V (^ event A hi) 
h2 <A>(event A P A hi) \/ {^event A h2) 
on <= event A /i2, 

where hi and h2 are control registers. Then Va is dehned by 

hi <- a, 



and by 

hi <- (event A P A /i2) V (-1 event A hi) 

/i2 <- (event A P A hi) V (-1 event A /i2) 
on <= event A /i2. 

In order to make the start system semantically well behaved we require that 
(a) V = Va®Vp. 

The example, quite deliberately, suggests existence of a system signal P, we 
refer to as run signal; if P is not present, no computation will take place but 
the status of control variables is retained. The run signal provides for a simple 
implementation of the when next-operator, or dually the suspend-operator: 

V when next p = V[p A P/P]. 



The run signal behaves semantically correct if 
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(/ 3 ) V = Va®(phVp®^phKEEP). 

Next, we have a system signal r, the preempt signal, which, if present, deac- 
tivates all control registers for the next instant. Semantically we require that 

(r) V =V'®^T AV\ 

These are all the system signals we shall use for efhcient translation schemes of 
control based programs. 

4.2 Starring 

Substitution is an “expensive” operation due to possible code multiplication. In 
order to be more efhcient we can use “lazy” substitution, i.e. we introduce a local 
signal, bind the respective term to this signal, and substitute the signal instead 
of the term: 



V[(f>/x] becomes V[j/x] V (7 <= <f>) 

This operation is constant in size, however not quite equivalent in our setup. 
For example, consider V[a\/ h/a\ where V = (a <= a), and where h is a control 
register. Clearly V[a\/ h/a\ = (a <= a V h), and 

V[a\/ h/ a\a = {o- <= «) and V[a\/ h/ a\p = [a <= h) 

On the other hand we have 

(■p[7/a] © (7 <= a V h))a = (7 <= «) V (a <= 7) 

(■p[7/a] © (7 <= a\/ h))p = (7 <= h) V (a <= 7) 

Obviously, the operators of our algebra of concrete synchronous automata are 
not compositional with regard to local variables. 

We resolve the problem by adding a new operation, starring, which renames 
all local signals. Let jC{V) be the set of local signals of V. Then 

V* ■-T[s*//s\seC(V)] 

where V[s*//s \ s G E{V)] states that every local signal s G E{V) is renamed 
to s* everywhere in V (this is different from substitution which affects only the 
c()’s in s <= (f) and h <- (f)). Again an example should be sufhcient to grasp the 
idea: 



((7 <= a) V (a <= 7))* = (7* <= a) V (a <= 7*), 
where 7 is a local variable. Thus we should in general redehne 'Pq/ to 

Va=V[jf/C]*. 

Then lazy substitution is compositional, with our trivial example hopefully being 
enough of a witness to substatiate the claim. These observations have been used 
in [ 12 ] where we give a translation of Esterel and prove its correctness. 
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4.3 Reincarnation 

The staring operator resolves another subtlety of synchronous languages, which 
is related to the loop construct: reincarnation [ 1 ]. For example, if control is with 
await c in 

loop signal a in if a then emit b; await c; emit a end end 

then presence of c will imply emittance of a, reinitialisation of the loop, eval- 
uation of the */-statement, and hnally control will again be with the await- 
statement. The question is whether h will be emitted or not. It should not: in 
a block structured language, leaving a block will forget all bindings. Entering 
the block a new incarnation of bound variables, here a, is generated. Due to 
coherence this new incarnation cannot be present, hence h is not emitted. Note 
that we have two incarnations of a existing at the same instant, one incarnation 
being present, the other not. 

With a being local, starring generates two copies, a and a* , the latter covers 
the reentry of the loop. Applying the dehnitions we roughly obtain the automa- 
ton 



b <= a* A {a \/ c A h) 
h <- a V (c A h) V (^c A h) 
a <= c Ah 

which behaves perfectly well. 

4.4 Complexity 

The splitting of V into Va and T* ^ may cause quadratic growth. Assume we 
have the action 

V = (a <= hA{a\/hi)) 

with h being a control register. Then splitting generates two copies of h, 

Va = {a <= b A a) 

V p = {a <= b A hi) 

Now we may need to substitute ('Pq/ ® ■p^)[7/a] ® {7 <= c A (a V /i2)}, and to 
split again which leaves us with three copies of b, 

[Va A)V ij)[A/a]a = [a <= & A 7*) V (7* <= b A a) 

{Va A)V ^)[A/a]^ = {a <= b A hi) W {a <= & A 7) V (7 <= bAh-z). 

In general, we get a geometric sum ~ with n being the number of 

nested splittings. 

Further, splitting is expensive in terms of translation time since every subex- 
pression needs to be touched. Hence, splitting should be avoided whenever this 
is feasible. 
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4.5 An Imperative Core 

With these dehnition, the basic operators of an imperative synchronous lan- 
guage can be implemented as follows, omitting the predicates V .lo,V . p,V .rj the 
dehnition of which are not changed: 
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All the signals named with Greek letters are local except for a, {3, r. We have 

Proposition 3. All these operators satisfy the control axiom, the initialization 
axiom, and they satisfy the (a), (j3), (r) axiom. 

The proof works very much along the lines of that given in [12] except that 
we have axiomatized some of invariants in this proof. Most cases are in fact, 
straightforward but tedious. 

All the other operators are in fact derived: 

do Vwhen <f) = start (do Vwhen next f) at f 
cancel Vif f = cancel (do V when -if) if f 
cancel V if next f = terminate (do V when next -if) if next f 

We have reduced the number of splitting to one case, the /oop-construct, but 
the more intuitive dehnition 

loop P end = ^ \/ {j <= a V P “ ^ Gw) 

may be incorrect semantically. In an inductive proof, the initialisation axiom is 
crucial for avoiding the splitting operator. However, this may fail to hold in case 
of the “intuitive “ dehnition of the loop; if we reenter a loop some control register 
of P must have been active in contrast to the initialisation axiom. Hence proper 
use of the start symbol cannot be guaranteed. Our dehnition circumvents the 
problem because there are no interferences between Va and P^, which means 
that the initialisation axiom holds (by brute force so to speak). Splitting is, 
however, in many cases unnecessary, and it is a matter of efficiency to anticipate 
such cases. 

The operators discussed are, modulo syntactic sugar, those of Esterel V5 
except for traps which need an additional attribute not covered here (but in 
[12]). We omit the discussion of traps not only because of the additional space 
needed but as well as we believe that traps are pragmatically unsound in that 
few users control the inherent priority scheme. 
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4.6 State-based Control 

As an exercise we give the translation of a state-based language such as Argos 
or Statecharts in terms of the operators above. Let each state h correspond 
to a control register h. We collect all the out-going transitions from h to some 
hi which we assume to be triggered if a condition (pi holds. While changing state 
a synchronous automaton Vi will be executed. We use the textual notation 

trans h : <p\jP\ \ . . . ; (pn/Vn end 

for 



1 : (pi/Vi 




: (pnjV. 



The numbering specihes priorities in the graphical presentation. Then, for each 
state /i, we have 

trans h : <pi/Vi ; . . . ; (pn/Vn encf^ ^ = HALT ® TRAN 



where 



HALT = [start [cancel halt^ at Th) at ah) V [vh <= r V TRAN.t) 
TRAN = start [if (pi then V\ \ emit a/ij end] . . . 

; (pn A [Vn \ emit a/ij) at h 

For each state /i, ah is a local signal: if ah is present the control register h 
is activated for the next instant. Only then TRAN is initialized. If one of the 
conditions (pi holds the register h will be preempted, and the Vi will be executed. 
For the hierarchical structure one may add 

trans h = V : (pi/Vi] . . .](pn/Vn end 

to state that V rehnes the state /i, and redehne HALT to: 

HALT= [start [cancel halt^ CA [do V when next h) at Th) at ah) 

V [Th <= r V TRANrj) 



4.7 Data 

Dealing with data one has to be more specihc about the “action table’. We 
consider here only a very simple kind of data action, assignment to a memory 
cell: 



[if X then x := e) = [if x then x = e) V [if -^x then x = x) 
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Here x is a pure trigger signal, * is a data register, and e is a data expression 
(of suitable type). At every instant, the data expression is computed and its 
values assigned to the memory cell, provided that the trigger signal is present. 
Otherwise the old value is kept. Hence the assignment notation. Emittance of a 
value is then implemented by 

emit s{e) = (s <= a) V (a <= a) V {if a then 7s := e) 

where a is a pure (non-local !) signal. We use a “dual-rail” implementation in 
that every valued signal s is presented by a pure signal and a memory register 
7s. The notation 7s refers to the value of the register if used in an expression. 
The declaration of a valued signal is of the form 

signal x (: type) in Vend. 

The signal is pure if the type information is missing. 

Since control may depend on values of the language we allow to use ?& as a 
pure atomic expression (overloading notation). This completes the simple pro- 
tocol of how a Boolean automaton and an action table communicate. 

5 Declarative Code - Dealing with Frequencies 

5.1 Generating Synchronons Antoniata 

Declarative statements dehne constraint on flows (cf. Section 2.1). We will con- 
centrate on two such statements, declarations 

flow X (: type) when £ in V end 

and eguations 



X = £ 



We assume that the declaration specihes the frequency !* of * which, as we freely 
admit, is a restricted view related to Lustre. T* is a synchronous automaton, 
and 5 is a valued synchronous automaton, i.e. a pair £ = (e, £) with e being an 
data expression, and £ being a synchronous automaton (overloading notation). 
We require that £rj = jf , i.e. the automaton related to an expression terminates 
instantaneously. The value of £ is computed at the frequency \£ which is a 
synthesized predicate. 

Let, for every pure signal s, !s determine its “base frequency” such that 
!s ^ s where 



s ^ .s' iff, for all events E, if s G if then s' ^ E 

dehnes a preorder on signals; if s is part of an event then s' is part of it as well. 
Then declarations translate to (forgetting about types) 

flow X when £ in V end = £ (£> V V {\x <= \£A7h) V (if l£ then 7b := e) 




508 A. Poigne and L. Holenderski 

where 



{flow . . .).ui = V -ui 
(flow . . ,).T = V.T 
(flow . . .).rj = V.rj 

and equations to 

{x = £) = £ \/ {x <= A \£) V (if x then lx := e) 

where 



{x = £) ,ui = it 
(x = S).T = jf 

(x = £)-r] = jf. 

Data expressions generate valned synchronons antomata in a straightforward 
way: 

op{£i, . . .,£n) = {op{ei , . . . , e„),5i (g) . . . ® ^n) 

Flow variables translate to 



X = (lx, stop). 

All declarative synchronous languages share the concept of memorization which 
is an operator on expressions, and which is implemented by 

pre(£) = (m, £ V (if l£ then m : = e)) 

\pre{£) = \£. 

m is a new register. A complementary initialization operator has many incarna- 
tions, Lustre uses £\ -> £2 which translates to 

(£i -> 5i) = (e, (g) ^2 V 

{Xa <= '.£1 A -i/i, 
if Xa then e := ei, 

Xj3 <= '^2 A h, 
if Xj3 then e := £ 2 }) 

!( 5 i -> £2) = \£ih\£2 



The pure register h allows to distinguish the hrst instant the frequency \£\ is 
present from later instants. The assumption is that h is inactive when starting 
the computation. Flowever, h is not a control register. 
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Downsampling is implemented by 

[£i when £2) = (e, {£1 when x) V £2 

V {ifl£i then h ■.= e2) y [x <= \£i hb) 

V {zf X then e := ei) 

\[£i when £2) = X 

!x = !^ 

At the frequency of £1, the value is changed if ^2 computes to it. The new value 
is that of £ I at this instant. The upsampling operator in Lustre the current- 
operator: 



current[£) = £ 

\current{£) = \\£ 

Changes only depend on £, otherwise the value is latched, but on the faster 
frequency. 

5.2 Checking Frequencies 

While being an acceptable implementation the above fails to satisfy strongness 
of equality (cf. Section 2.1) for which one needs that 

\x y \£ and \£ y \x. 

Frequency analysis is applied to reject programs which do not satisfy such fre- 
quency requirements, similar to causality analysis which rejects causally incor- 
rect programs. Frequency analysis, of course, is a problem of comparing boolean 
flows, ergo maps to the satishability problem of Boolean expression which is 
NP-hard. The problem gets even worse due to the presence of memorization. To 
reduce complexity, only an approximation X Ad of y ^ x' is considered. The 
approximations may be more or less sophisticated. Signal offers an elaborate 
“clock” calculus, while Lustre promote a more down-to-earth approach which 
will be sketched. 

In Lustre the frequency of a flow is determined by its declaration 

flow X (: type) when e 

Let us bind e to t by A{x) = e :: zl(e) to obtain a stack of expressions, where 

^(op()) = [] 

Zi(op(ei, . . . , e„)) = Zi(ei), provided that zl(ei) = . . . = Zi(e„) 

Zi(pre(e)) = Zi(e) 

Zi(ei -> e2) = Zi(ei), provided that zl(ei) = A{e 2 ) 

Zi(ei when e2) = e2 :: Zi(ei), provided that zl(ei) = A{e 2 ) 

Zi(current(e)) = tl(A(e)) 
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and let 



!e ^ !e' ^(e) = ^(e') 

lifting the frequency operator ! to the syntactic level. 

Lemma 4. Let £ and £' be the valued synchronous automata obtained by trans- 
lating the expressions e and e’. Then 

\£-<\£'if\e^^ e'. 

The frequency analysis can be rehned if flow variables are substituted by the 
expressions dehning their frequency. 

5.3 A More Liberal Policy 

The requirement that equalities of flows are strong may be too rigid a require- 
ment. A flow dehnition such as 



X = I when <f) 

X = 2 when ~<4> 

is well dehned since at each instant of time only one dehnition applies. In terms 
of the how model (cf. Section 2.1) this means that each such equation generates 
a how !xj indexed by the respective equation and that 

!* = U '*1 

specihes the frequency of x with the proviso that the frequencies !xj are pairwise 
disjoint. An application of this idea can be for instance found in [10] where 
different how equation operate in different states of an Argos automaton: 




6 Finally - the Combination 

6.1 Adding Control to Eqnations 

The synchronous automata generated by the declarative code does not provide 
any mechanism to preempt and to (re-) initialize a computation. In more tech- 
nical terms, it does not satisfy the control axiom which is pivotal for controlling 
computations. As a brute force solution, we just add a control register to each 
equation 
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{x = e)^ ^ = £ (g) halt’' 

V (x <= !a: A !e A (a V /3 A h)) 

V {if X then x := e) 



Whenever started, the equation is evaluated until the control register is pre- 
empted. This is inefficient in terms of the number of control registers added, but 
effective. In a more efficient translation, equations share such a control register, 
in a pure declarative program only one such register is needed, the one relates to 
the base frequency. One should note though that now equations and imperative 
statements may be freely mixed, e.g. a list (egj^, . . . , eq^) of equation translates to 
a l3 T 
eqi 






6.2 A (Re-)View of Data 

We distinguish three kinds of variable entities: valued siqnals, for short siqnals, 
flows, and proqram variables, for short variables. The latter have not been dis- 
cussed yet. There are subtle differences which are probably best explained with 
regard to our implementation model. 

If a valued signal s is emitted several times at the same instance, non- 
determinism may arise in that different values may be assigned to 7s. This 
non-determinism can be resolved: 

— by adding an associative combine operator, e.g. addition in case of integers, 
which operates on all the values vi, . . . ,v„ emitted at the same instant in 
that the assignment 7s := vi + ... + v„ takes place, or 

— by schedulinq the emittances. 

The strategy of Esterel is to have : 

— valued siqnals which may have a combine operator, but otherwise non- 
deterministic behaviour is (should be) rejected, and 

— proqram variables which are scheduled (according to the program structure), 
which are never present, but always has a value (which is the standard notion 
of a program variable) . 

E.g. the Esterel code 

X :=1 ; X :=x+l 

with X being a program variable is evaluated at the same instant, scheduled 
sequentially and yields a result 2 for x. The statement 

X := 1 I I X := X + 1 

is rejected because of non-determinism. Similarly, 

emit s(l) I I emit s(?s + 1) 

will be rejected if not, e.g., addition is a combine operator for s. The scheduling 
strategy of valued signals as well as that of flows is that all “writes” at any 
instant should precede all “reads” . This rules out a construction such as 
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emit s(l) ; emit s(?s + 1). 

Our semantic modeling does not cover scheduling which can be extended by 
adding scheduling information on the level of actions, at the expense of dehni- 
tions being more cumbersome. Causality analysis has to take care of this flow of 
data as well as of the flow of control. 

The difference between flows and valued signals is more subtle. Of course, 
flows are "type-checked” in that frequencies are constrained while this does 
not apply to valued signals. However, this is not the essential difference since 
we may assume that valued signals run at (some relative) base frequency. The 
more serious problem is due to the fact that declarative code usually assumes 
that every variable has a unique equational dehnition, otherwise, interferences 
of dehnitions may occur: consider the equation 

* = 0 -> 1 -f pre(*) 

which counts the number of instants. If a second equation 

X = 1 

is computed in parallel the behaviour is either non-deterministic, and will be re- 
jected which would be the same for valued signals. Applying a combine operator, 
e.g. -f, would, however, result in unacceptable behaviour from the declarative 
point of view in that uniqueness of dehnition (at a instant) is violated. Hence, a 
combine operator should not be related to hows. 

All the properties are summarized in the table 



X 


signal 


how 


variable 


presence 


X 






value 


lx 


X 


X 


clock 




\/ 




combine 


\/ 






schedule 


r ^ w 


r ^ w 


\/ 



where a: is a name of the respective entity. 

What are the consequences? 

— Either we consider a unihed data model as we did in [6] introducing the 
language LEA as a combination of Lustre, Esterel, and Argos, based 
on a unihed data model, 

— or we accept the differences of the data models but are liberal in the way 
the concepts interoperate as we do in this paper using coercions. 

There are various possible coercions, and it is a matter of a language designer 
to make these explicit or not: 

— a valued signal or a program variable x can be coerced into a how by provid- 
ing some frequency, e.g. by overloading the downsampling operator: x when 
e. 





On the Combination of Synchronous Languages 



513 



— a flow X cannot turned into a valued signal because uniqueness of definition 
may be lost due to a combine operator. We propose to overload the notation 
in that the pair \x, lx is of kind signal; !x refers to the clock of x, and lx to 
the value. However, to preserve uniqueness of dehnition we translate to 

(e, if !x then e :=lx) 

where e is a new memory cell. 

The hinge between components of different nature are the declarations of input 
and output parameters. Their kind should be specihed by the keywords signal, 
flow, and var, e.g. 

node raising_edge (flow x : bool) (signal y:bool); 

flow z:bool; 

let 

z = false -> X and not pre(x) 

I I 

if !z then emit y(?z) 

tel 

Then a component call, e.g., 

raising_edge (x’ when true) (y’) 

is well dehned where x’ and y’ are signals. We propose 

node raising_edge (flow x : bool) (signaljof jElow y:bool); 
let 

y = false -> x and not pre(x) 

tel 

as a shorthand notation to the same effect. 

7 Conclusion 

We have presented a unihed view of declarative and control-based synchronous 
programming based on very few, semantically meaningful operators on syn- 
chronous automata. We claim no originality with regard to the notion of syn- 
chronous automata which are closely related to Berry’s hardware interpretation 
[2], though our more algebraic approach, hrst described in [12] and later extended 
in [8] (which we never bothered to publish, but were we tried to give, for our- 
selves, an account of the ideas underlying the Synchrony Workbench) may 
be mildly interesting, even novel. Of course, the real implementation uses some 
more shortcuts to increase efhciency of the generated code. The shortcuts do not 
affect correctness because they are always based on well understood assumptions. 
Anyway, we start from a semantically well-dehned basic scheme which already 
proved to be reasonably efhcient if implemented as is, and which has proved to 
be extremely versatile. The latter is, in fact, the rationale of the Synchrony 
Workbench: to have a generic framework for synchronous programming. 
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Abstract. We study compositionality issues for the analysis of randomized 
distributed algorithms. We identify three forms of compositionality that we 
call process compositionality, property compositionality, and feature compo- 
sitionality. Process and property compositionality are widely known in the 
literature, while feature compositionality, although used extensively, does not 
appear to be emphasized as much. We show how feature compositionality is 
important for the analysis of randomized systems. 



1 Introduction 

It is widely recognized that compositionality is an essential feature to enable the 
scalability of a formal method. That is, it appears to be practically unfeasible to 
analyze large systems without being able to decompose them into several subcom- 
ponents that can be analyzed separately. Compositionality has received considerable 
attention in the literature; this volume contains several references to the related re- 
sults. In this paper we study compositionality issues for concurrent systems that 
contain probability. More specihcally, we focus on the analysis of randomized dis- 
tributed algorithms. We present our study based on the probabilistic model of [38] 
and on a non-trivial case study [33] where the randomized consensus algorithm of 
Aspnes and Herlihy [2] is analyzed. 

The study of randomization within concurrent systems is particularly compli- 
cated due to the interaction of nondeterrmmsm, a typical feature of the theory of 
concurrency, and prohahiUty, the result of a random choice. The difficulty of random- 
ization is well known in the literature since we can Rnd claims like “intuition often 
fails to grasp the full intricacy of the algorithm” [31], or “proofs of correctness for 
probabilistic distributed systems are extremely slippery” [24]. The claims above are 
further supported by the recent discovery of some problems on known randomized 
algorithms (e.g., [36, 21, 1]). 

In our study of randomized algorithms we have identified three forms of compo- 
sitionality that we think are important. 

— Compositionality of processes. 

This is the typical use of the term “compositionality”. That is, we study the 

properties of a system by subdividing it into several components, studying the 

W.-P. de Roever, H. Langmaack, and A. Pnueli (Eds.): COMPOS’97, LNCS 1536, pp. 515-540 
Springer- Verlag Berlin Heidelberg 1998 
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properties of each component separately, and then combining the properties of 
the subcomponents to yield the Rnal result. The properties of the components 
are sufhciently abstract to hide most of the low level details of the components. 

— Compositionality of properties. 

Rather than decomposing a system into several subcomponents, we decompose 
a property into several simpler properties. Several logics for reasoning about 
concurrent systems use this form of compositionality. 

— Compositionality of features. 

A model for a concurrent system usually includes several paradigms that interfere 
with each other, e.g., real-time, continuous behavior, probability. The picture is 
complicated further by the presence of nondeterminism. Rather than studying 
the system as a whole, we study each paradigm (feature) separately and then 
combine the results. In this way it is possible to study each feature using its own 
tools. Being able to separate features simplifies considerably the analysis of an 
algorithm and reduces the chances of error. In this paper we use com lemmas to 
separate probability from nondeterminism. 

We start by introducing a formal model for the description of randomized dis- 
tributed algorithms [38]. To enable feature compositionality the model is an exten- 
sion of Labeled Transition Systems (LTSs) [20], since there is an extensive literature 
on the analysis of LTSs that can be adapted to the probabilistic case. In our exten- 
sion of LTSs we use the synchronization mechanism of CSP [18], where processes 
synchronize on common actions and evolve independently on others. Our choice of 
the CSP synchronization style derives from the fact that it allows us to model easily 
distributed algorithms. We call our probabilistic LTSs Probabilistic Automata. Some 
important properties of probabilistic automata are the following. 

— An ordinary LTS is a special case of a probabilistic automaton. 

— The main properties that enable compositional reasoning, e.g., projections of 
executions, are preserved. 

Once probabilistic automata are defined, we introduce a generic notion of a com- 
plexity measure and the related notion of expected complexity of an algorithm. We 
show how it is possible to lift a property of complexity measures to a property of 
expected complexities as an example of feature compositionality. 

We introduce progress statements [25, 38], a probabilistic generalization of the 
leadsto operator of UNITY [6], to illustrate how a complex property can be de- 
composed into simpler properties (property compositionality) and to illustrate a 
technique to derive expected complexity bounds for an algorithm (feature composi- 
tionality). 

Finally, we introduce coin lemmas [25, 38] to illustrate our main technique to 
separate probability from nondeterminism. Coin lemmas are a formal expression of 
the intuition that a randomized algorithm behaves correctly whenever some specific 
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random draws give some specific results. Coin lemmas provide us with a technique 
to reduce the analysis of a randomized system to the analysis of an ordinary LTS. 

As our main running example we use a large case study [33] where the random- 
ized consensus algorithm of Aspnes and Herlihy [2] is shown to terminate within 
polynomial time. The algorithm of Aspnes and Herlihy is particularly interesting 
for its high non-triviality. Its nondeterministic behavior is very complicate, and its 
probabilistic behavior is based on the theory of Random Walks [13]. In this case 
study all the forms of compositionality that we introduce are used. 

The rest of the paper is organized as follows. Section 2 introduces the model 
[38] that we use for the analysis of randomized distributed algorithms; Section 3 
introduces complexity measures [38, 32] and shows how to study the expected com- 
plexity of an algorithm; Section 4 introduces progress statements [38, 25, 32] for 
the study of the partial progress of an algorithm; Section 5 describes the algorithm 
of Aspnes and Herlihy, our running example; Section 6 shows how progress state- 
ments and projections can be used to reason compositionally about an algorithm; 
Section 7 describes the main probabilistic component of the algorithm of Aspnes 
and Herlihy, and Section 8 shows how to use coin lemmas to reason composition- 
ally about the probabilistic behavior of an algorithm; Section 9 gives a hint on how 
to use rehnements [27] to reason about randomized algorithms; Section 10 analyzes 
the time complexity of the algorithm of Aspnes and Herlihy and gives examples of 
how to reason compositionally using complexity measures; Rnally, Section 11 gives 
references to related work, and Section 12 gives some concluding remarks. 



2 Probabilistic Automata 



In this section we introduce probabilistic automata by enriching the probabilistic 
automata of [38] with an input/output distinction. The input/output distinction is 
useful to define some meaningful fairness conditions; however, the properties that 
we describe are valid even without such distinction. 



2.1 Probability Spaces 



A probability space V is a triplet {f2,T,P) where i? is a set, T is a collection of 
subsets of Q that is closed under complement and countable union and such that 
f2 ^ T , also called a a-field, and P is a function from T to [0, 1] such that P[12] = 1 
and such that for any collection {C'i}i of at most countably many pairwise disjoint 
elements of P, P[UiCi] = J2i -P[C*s]- 

A probability space (l7, T, P) is discrete if P = 2^ and for each C C f2, 
P[C] = For any arbitrary set X, let Probs(X) denote the set of 

discrete probability spaces {f2,T,P) where i? C A, and such that all the elements 
of Q have a non-zero probability. 
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2.2 Probabilistic Automata 

An I/O automaton A consists of five components: 

— a set States(A) of states; 

— a non-empty set Start(A) C States(A) of start states; 

— an action signature Sig(A) = (m(A), out(A), mt(A)), where m(A), out(A) and 
mt{A) are disjoint sets of input, output, and internal actions, respectively; 

— a transition relation Trans(A) C States(A) x Actions(A) x States(A), where 
Actions(A) denotes the set m(A) U out(A) U mt{A), such that for each state 
s of States(A) and each input action a of m(A) there is a state s' such that 
(s,a,s') G Trans(A)', 

— a task partition Tasks(A), which is an equivalence relation on mt{A) U out{A) 
that has at most countably many equivalence classes. The elements of Trans(A) 
are called transitions, and A is said to be input enabled. An equivalence class of 
Tasks(A) is called a task of A. 

A prohahilistie I/O automaton M differs from an I/O automaton in its transition 
relation. That is, Trans(M) C States(M) x Aetions(M) x Probs(States(M)). In 
the rest of the paper we refer to (probabilistic) I/O automata as (probabilistic) 
automata. Observe that an automaton is a special case of a probabilistic automaton. 

Probabilistic automata are partially captured by the reactive model of [16] in the 
sense that the reactive model assumes some form of nondeterminism between dif- 
ferent actions. However, the reactive model does not allow nondeterministic choices 
between transitions involving the same action. By restricting simple probabilistic 
automata to have Rnitely many states, we obtain objects with a structure similar 
to that of the Concurrent Labeled Markov Chains of [17]; however, in our model 
we do not need to distinguish between nondeterministic and probabilistic states. In 
our model nondeterminism is obtained by means of the structure of the transition 
relation. This allows us to retain most of the traditional notation that is used for 
automata. 



2.3 Executions 

A state s of M is said to enable a transition if there is a transition (s,a,V) in 
Trans(M). An action a is said to be enabled from a state s of M if s enables a 
transition with action a. 

An exeeution fragment of M is a sequence a of alternating states and actions of 
M starting with a state, and, if a is finite ending with a state, a = soaiSia 2 S 2 ---, such 
that for each i > 0 there exists a transition (sj-, P) of M such that G Q. 
Denote by fstate(a) the first state of a and, if a is finite, denote by Istate(a) the last 
state of a. An exeeution is an execution fragment whose first state is a start state. 

An execution fragment a is said to be fair iff the following conditions hold for 
every task T of M: 
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1 . if a is finite then no action from T is enabled in Isiaie(a)', 

2 . if a is infinite, then either actions from T occur inhnitely many times in a, or 
a contains inhnitely many occurrences of states from which no action from T is 
enabled. 

A state s of M is reachable if there exists a hnite execution of M that ends in s. 
A hnite execution fragment ai = sgaisi ■ ■ -anSn of M and an execution fragment 
02 = s„a„_|_is„_|_i • • • of M can be concatenated. The concatenation, written ai ^ a2, 
is the execution fragment soOiSi • • • anSnOn+iSn+i • • •• An execution fragment ai of 
M is a prefix of an execution fragment «2 of M , written ai <02, iff either ai = «2 
or ai is hnite and there exists an execution fragment a\ of M such that = a\^ a\. 



2.4 Probabilistic Executions 

An execution fragment of M is the result of resolving both the probabilistic and 
the nondeterministic choices of M . If only the nondeterministic choices are resolved, 
then we obtain a structure similar to a cycle-free Markov chain, which we call a 
prohahiUstic execution fragment of M . From the point of view of the study of algo- 
rithms, the nondeterminism is resolved by an adversary that chooses a transition to 
schedule based on the past history of the system. A probabilistic execution is the 
result of the action of some adversary. A probabilistic execution can be thought of as 
the result of unfolding the transition relation of a probabilistic automaton and then 
choosing one transition for each state of the unfolding. It has a structure similar 
to the structure of a probabilistic automaton, where the states are hnite execution 
fragments of M . 

Formally, a probabilistic execution fragment H of a probabilistic automaton M 
consists of four components. 

— a set of states States(H) C frag*{M)] let q range over the states of H; 

— a signature Sig(H) = Sig(M)', 

— a singleton set Start(H) C States(M)', 

— a transition relation Trans(H) C States(H) x Probs((Actions(H) x States(H))U 

{(i}) such that for each transition (q,V) of H there is a family of transitions of 
M {(Istate(rj), ai,Vi)}i>o and a family of probabilities {pi}i>o satisfying the 
following properties: ^ = 1 ~ 'l 2 i>oPij and for each action a and 

state s, P[{a,qas)] = J2i\a,=a PiP^s]- 

Furthermore, each state of p[ is reachable, where reachability is dehned analogously 
to the notion of reachability for probabilistic automata after dehning an execution 
of a probabilistic execution fragment in the obvious way. A probabilistic execution 
p[ of a probabilistic automaton M is a probabilistic execution fragment of M whose 
start state is a state of Start(M). 

A probabilistic execution is like a probabilistic automaton, except that within a 
transition it is possible to choose probabilistically over actions as well. Furthermore, 
a transition may contain a special symbol S, which corresponds to not scheduling any 
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transition. In particular, it is possible that from a state q a transition is scheduled 
only with some probability p < 1 . In such a case the probability of d is 1 — p. 

It is possible to dehne a probability space Vh = Ph) associated with H . 

In particular [ 2 h is a set of execution fragments of M (the limit closure of the states 
of H), Th is the smallest cr-Reld that contains the set of cones Cq, consisting of those 
elements of [ 2 h having g as a prefix (let q denote a state of H), and the probability 
measure Ph is the unique extension of the probability measure defined on cones as 
follows: PniCq] is the product of the probabilities of each transition of p[ leading to 
q. Standard measure theory guarantees that Vh is well defined. Furthermore, Vh 
is sufficiently rich to describe properties like single or multiple occurrences of an 
action, reachability properties, fairness properties. See [ 38 ] for more details. 

An event if of is an element of Ph- An event E is called finitely satisfiable if 
it can be expressed as a union of cones. We have chosen the term finitely satisfiable 
since it is possible to determine that an execution a is in if by looking at a finite 
prefix of a. A finitely satisfiable event can be represented by a set 0 of incomparable 
states of ii. The event denoted by 0 is Uq^sCq. We abuse notation by writing Ph[&] 
for PH[^qe 0 p'q]- We call a set of incomparable states of ii a cut of ii, and we say 
that a cut 0 is full if Ph[&] = 1 - 

An important event of Vh is the set of fair executions of fin- We define a 
probabilistic execution fragment ii to be fair if the set of fair execution fragments 
has probability 1 in Vh- 



2.5 Parallel Composition 

Probabilistic automata can be composed in parallel. Due to the reactive structure of 
probabilistic automata, the definition of parallel composition is simple. The states 
of the composition are the cross product of the states of the components. The com- 
posed probabilistic automata synchronize on their common actions and evolve in- 
dependently on the others. Whenever a synchronization occurs, the state that is 
reached is obtained by choosing a state independently for each of the probabilistic 
automata involved. 

Formally, two probabilistic automata Mq and M2 are compatible iff int(Mi) H 
acts{M2) = 0 and acts(Mi) H int{M2) = 0 . The parallel composition of two com- 
patible probabilistic automata Mq and M2, denoted by Mq || M2, is the probabilistic 
automaton M such that 

1 . States(M) = States(Mq) x States(M2)- 

2 . Start(M) = Start(Mq) x Start{M2) - 

3 . in(M) = (in(Mq) U in(M2)) — (out(Mq) U out(M2), 

int(M) = int(Mq) U int(M2), 

out(M) = out(Mq) U out(M2), 

4 . i(sq,S2),a,V) e Trans(M) iff P = Pi eg) P2 where 

(a) if a G Actions(Mq) then (si,a,Pi) G Trans(Mq), else Pi = U(sq), and 

(b) if a G Actions(M2) then {s2,ei,V2) E Trans(M2), else V2 = U{s2), 
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where U{s) denotes a probability distribution over a single state s. 

In a parallel composition the notion of projection is one of the main tools to 
support compositional reasoning. A projection of an execution fragment a onto a 
component within a parallel composition is the contribution of the component to 
obtain a. Formally, let M be Mi || M 2 , the parallel composition of Mi and M 2 , and 
let a be an execution fragment of M . The projection of a onto Mi, denoted by a\Mi, 
is the sequence obtained from a by replacing each state with its i**' component and 
by removing all actions that are not actions of Mi together with their following state. 
It is the case that a\Mi is an execution fragment of Mi [26]. 

The notion of projection can be extended to probabilistic executions (cf. Sec- 
tion 4.3 of [38]). Here we do not present the formal dehnition of projection; rather, 
we describe the properties of projections that are needed for our analysis, and we re- 
fer the reader to [38] for a more detailed description. Given a probabilistic execution 
fragment H of M , it is possible to dehne an object H\Mi, which is a probabilistic ex- 
ecution fragment of Mi that informally represents the contribution of Mi to H . The 
states of H\Mi are the projections onto Mi of the states of H . The most important 
fact is that the probability space associated with H\Mi is the image space under 
projection (cf. Proposition 1) of the probability space associated with H . This prop- 
erty allows us to prove probabilistic properties of H based on probabilistic properties 
of H\ Mi (process compositionality). 

Proposition! [33]. Let M be Mi || M 2 , and let H be a probabilistic execution 
fragment of M . Let i G {1,2|. Then = \a\Mi I a G L2h\, and for each 

eer„,„,^p„,Mie]Tp„i{aeo„loMee}]. 



3 Complexity Measures 

A complexity function is a function from execution fragments of M to A com- 

plexity measure is a complexity function <f) such that, for each pair ai and «2 of 
execution fragments that can be concatenated, max(j>(ai), <^( 02 )) < j>(ai ^ 02 ) < 
f(ai) + f(a2). 

Informally, a complexity measure is a function that determines the complexity 
of an execution fragment, where by complexity of an execution fragment we mean 
something proportional to the amount of work that is neessary to carry out the 
related operations. A complexity measure satisRes two natural requirements: the 
complexity of two tasks performed sequentially should not exceed the complexity of 
performing the two tasks separately and should be at least as large as the complexity 
of the more complex task; it should not be possible to accomplish more by working 
less. Examples of complexity measures are the total number of operations performed 
in a protocol, and the number of operations of some specific type performed in a 
protocol. 

Consider a probabilistic execution fragment LL of M and a finitely satisfiable 
event 0 of Th- The elements of 0 represent the points where the property denoted 
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by 0 is satisfied. Let (f) he a complexity function. Then it is possible to define the 
expected complexity (f) to reach 0 in H as 

Es[H,0] = I'^qee if.Pff[0] = l 

’ I oo otherwise. 

The expected complexity E^[H , 0] expresses the average amount of work necessary 
before satisfying the property expressed by 0. If the probability of 0 is not 1, then 
the average work could be potentially inhnite. 

Below we present three compositionality results for complexity measures. Propo- 
sition 2 is an instance of feture compositionality, Proposition 3 is an instance of 
property compositionality, and Proposition 4 is an instance of process composition- 
ality. We give an informal explanation of each result. 

If several complexity measures are related by a linear inequality, then their ex- 
pected values over a full cut are related by the same linear inequality. This result 
follows from the observation that the function that expresses the complexity of the 
elements of a full cut is a random variable [13]. 

Proposition 2. Lei 0 be a full eut of a prohahtUsite exeeuiton fragment H. Lei 
<j), fi, <j )2 be eomplexity funetions, and ci,C 2 two eonsianis sueh that, for eaeh a G 0, 
f>(a) < cif>i(a) + C'jf'jia). Then E^[LL,0] < ciE^^[LL,0] + C2E^^^[LL,0], □ 

Suppose that within a computation it is possible to identify several phases, each 
one with its own complexity, and suppose that the complexity associated with each 
phase remains 0 until the phase starts. Suppose that the expected complexity of 
each phase is bounded by some constant c. If we know that the expected number 
of phases that start is bounded by k, then the expected complexity of the system is 
bounded by ck. In the statement below fi denotes the complexity associated with 
phase i and <f) denotes the number of phases that have started. 

Propositions. Lei M be a probabtUsite automaton. Lei 4>i,4>2,4>3, ■ ■ ■ be a eouni- 
able eolleeiion of eomplexity funetions for M , and let f be a eomplexity funetion 
defined as ff ex) = c be a eonstant, and suppose that for eaeh fair 

probabilistie exeeution fragment LL of M , eaeh full eut 0 of LL , and eaeh i > 0, 
E^\H,0] < c. 

Let LL be a probabilistie fair exeeution fragment of M , and let f be a eomplexity 
measure for M . For eaeh i > 0, let 0i be the set of minimal states q of LL sueh that 
4>{q) > i. Suppose that for eaeh q G 0i, 4>i{q) = 0, and that for eaeh state q of LL 
and eaeh i > 4>{q), 4>i{q) = 0. 

Then, for eaeh full eut 0 of LL , E,f,i[LL,0] < cE,p[LL,0]. □ 

Finally, to verify properties modularly it is useful to derive complexity properties 
of complex systems based on complexity properties of their components. Proposi- 
tion 4 below is an example of how to lift an expected complexity bound from a 
component to the whole composition. 
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Proposition 4. Lei M he M\\\M2, and let i (E {1/2} . Let <f> be a eomplexity funetion 
for M, and let fi be a eomplextiy funetion for Mi. Suppose that for eaeh finite 
exeeution fragment a of M , fiex) = Let c be a eonstant. Suppose that for 

eaeh prohahilistie exeeution fragment LL of Mi and eaeh full eut 0 of LL , Eip/LL, 0] < 
c. Then, for eaeh prohahilistie exeeution fragment LL of M and eaeh full eut 0 of LL , 
E/H,0]<c. □ 



4 Progress Statements 



A progress statement is a predicate that can be used to state reachability properties. 
It is a probabilistic extension of the leadsto operator of UNITY [6]. The notation 
for a progress statement is 



U 



4><<i jj! 



p 

where U and U' are sets of states, p is a probability, (/) is a complexity measure, and 
c is non-negative real number. It states that, no matter how the nondeterminism 
is resolved, the probability of reaching a state of U' from a state of U within <j)- 
complexity c is at least p. In this paper we require fairness for the resolution of 
nondeterminism; however, the results that we describe below hold also for more 
general schemas of resolution of the nondeterminism [38]. 



Given a probabilistic execution fragment LL of a probabilistic automaton M , 
let ejji ,p(^c){LL) denote the set of executions a of LLh with a prehx a' such that 

f{(x') < c and Istate(a') G I/. We say that the predicate U is true for M iff 

for each fair probabilistic execution fragment LL of M that starts from a state of U , 
PH[eu',4,(c){H)] > p. 

Progress statements can be decomposed into simpler statements to be proved 
separately. Some examples of decompositions are provided by the proposition below. 



Propositions. Let M be a prohahilistie automaton, U,U' ,U" ,U"' C States(M), 
and (f) be a eomplexity measure. Then, 



L. ifU ^ U' and U' U" , then U U" ; 

P P' PP' 

2. ifU^ U', then UUU” ^U'U U” ; 

p p 

3, ifU^ U' and U" LJ'" , then U U U” u' U U" 

P p' min(p,p') 



□ 



Progress statements can also be used to derive upper bounds on the expected 
complexity to reach a set of states. Denote hy U ^ U unless U' the predicate that 
is true for M iff for every execution fragment sas' of M, s G JJ — LJ' => s' ^ U U' . 
Informally, U ^ U unless W means that, once a state from U is reached, M remains 
in U unless W is reached. For each probabilistic execution fragment LL of M , let 
0U'{H) denote the set of minimal states of LL where a state from U' is reached. The 
following theorem provides a way of computing the expected <f) for reaching W . 
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Proposition 6 [38]. Let M be a prohahiUstie automaton and (f> he a eomplextty 
measure for M . Suppose that for eaeh exeeutton fragment of M of the form sas' , 
ffsas') < 1, that is, eaeh transition of M inereases <f) by at most 1, Let U and U' be 
sets of states of M . Let LL be a prohahilistie exeeution fragment of M that starts from 
a state of U , and suppose that for eaeh state q of LL sueh that Istate(rj) 

some transition is seheduled with probability 1, Suppose also that U U' and 

p 

If ^ If unless Lf. Then, < (c + l)/p, □ 



5 Example: The Algorithm of Aspnes and Herlihy 

The algorithm of Aspnes and Herlihy [2] is a randomized algorithm that solves the 
eonsensus problem within expected polynomial time. The problem consists of letting 
n processes agree on some value in the set {0, 1} so that the properties of validity, 
agreement, and wait-free termination are satisRed. Validity states that the value 
chosen by each process should be a value that was proposed in the past by some 
process; agreement states that no two processes choose different values; wait-free 
termination states that all non-failed processes eventually decide. Processes may 
fail by stopping, and the interaction between processes is asynchronous. In other 
words, it is not possible to distinguish between a slow process and a failed process. 
It is shown in [14] that there is no algorithm that can solve the consensus problem. 
Aspnes and Herlihy have shown that by relaxing the wait-free termination property 
so that the probability of termination is 1 the consensus problem can be solved 
within expected polynomial time. 

The algorithm of Aspnes and Herlihy proceeds in rounds. Every process main- 
tains a variable with two fields, value and round, that contain the process’ current 
preferred value (0, 1 or T) and current round (a non-negative integer), respectively. 
We say that a process is at round r if its round field is equal to r. The variables 
(value, round) are multiple-reader single-writer. Each process starts with its round 
field initialized to 0 and its value field initialized to T. 

After receiving the initial value to agree on, each process i executes the following 
loop. It first reads the (value, round) variables of all other processes in its local 
memory. We say that process i is a leader if according to its readings its own round 
is greater than or equal to the rounds of all other processes. We also say that a 
process i observed that another process j is a leader if according to i’s readings the 
round of j is greater than or equal to the rounds of all other processes. If process i at 
round r discovers that it is a leader, and that according to its readings all processes 
that are at rounds r and r — 1 have the same value as i, then i breaks out of the loop 
and decides on its value. Otherwise, if all processes that i observed to be leaders 
have the same value v , then i sets its value to v, increments its round and proceeds 
to the next iteration of the loop. In the remaining case, (leaders that i observed do 
not agree), i sets its value to T and scans again the other processes. If once again 
the leaders observed by i do not agree, then i determines its new preferred value for 
the next round by invoking a coin Hipping protocol. There is a separate coin Hipping 
protocol for each round. 
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We represent the main part of the algorithm as an automaton AP (Agreement 
Protocol) and the coin flipping protocols as probabilistic automata CFr (Coin Flip- 
per), one for each round r (cf. Figure 1). The coin flipper receives and handles 




requests from each process. We say that a request from a process i is received on 
port i, and we say that a port i is non-failing if process i does not fail. With this de- 
composition we can analyze several properties just on AP using ordinary techniques 
for non-probabilistic systems. Indeed, in this section we deal with AP only, and we 
leave the coin flippers unspecihed. 

The formal dehnition of AP is given in Table 1 using the precondition/effect 
notation that is typical of I/O automata [26]. Beside the shared variables value(i) 
and round(i), each process has a program counter pc, two arrays values and rounds 
containing the scans of the other processes, a set variable ohs saying what processes 
have been observed, a variable start holding the initial preferred value, and two 
variables decided, and stopped stating whether the process has decided or failed. We 
explain some of the relevant predicates: obs-leader(j) is true if i observes that j is a 
leader; obs-agree(r, v) is true if the observations of all the processes whose round is 
at least r agree on v, obs-leader-agree(v) is true if i observes that the leaders agree 
on a value v, obs-leader-value is the value of one of the leaders observed by i. We 
say that a process is active if it is attempting to agree on a value. An active process 
becomes inactive either by deciding a value or by failing. 



6 Compositionality Using Projections and Progress 
Statements 

The validity and agreement properties of the algorithm of Aspnes and Herlihy do 
not depend on any probabilistic assumption. These are safety properties and can be 
studied solely on AP by means of ordinary invariants. Informally, the invariant for 
validity states that no process will ever prefer a value different from its initial value 
if all processes have the same initial value, while the invariant for agreement states 
that if a process i that is at round r is “about to decide” on some value v, then every 
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Actions and transitions of process i. 



input init(v). 


output 


read2{k). 


Eff: start ^ v 


Pre: 


pc = read2 


output start(v). 


Eff: 


k ^ obs 

values[k] ^ value{k) 


Pre: pc = init A start = v ^ 1. 




rounds[k] ^ round{k) 


Eff: value{i) ^ v 




obs ^ obs U {A;} 


roundel) ^ 1 




if obs = {1, . . . ,n] then 


ohs ^ 0 




pc ^ check2 


pc ^ readl 


output 


check2. 


output readl(k). 


Pre: 


pc = check2 


Pre: pc = readl 


Eff: 


if 3„g{o,i} ofe^-^eader-agree(r) then 


k ^ obs 




value{i) ^ obs-leader-value 


Eff: values[k] ^ value{k) 




roundel) ^ rounds[i\ + 1 


rounds[k] ^ round{k) 




obs ^ 0 


obs ^ obs U {A;} 




pc ^ readl 


if obs = {1, . . . ,n] then pc ^ checkl 




else 


output checkl, 

Pre: pc = checkl 


output 


pc ^ flip 
start-flip{r). 


Eff: if 3,j^s^o i-yobs-rj,gree{rounds[i\ — l,'u)A 


Pre: 


pc = flip 


obs-leader{i) then 




roundel) = r 


pc ^ decide 


Eff: 


pc ^ wait 


elseif 3„g{o,i} ofe^-^eader-agree(n) then 
value{i) ^ obs-leader-value 


input return-flip{v, r). 


roundel) ^ rounds[i\ + 1 


Eff: 


if pc = wait A round{i) = r then 


obs ^ 0 




value{i) ^ v 


pc ^ readl 




roundel) ^ rounds[i\ + 1 


else 




obs ^ 0 


value{i) ^ _L 




pc ^ readl 


obs ^ 0 
pc ^ read2 


input stop^ 




Eff: 


stopped ^ true 


output decide(v). 




pc ^ nil 



Pre: pc = decide A vrj,lues[i\ = v 
Eff: decided ^ true 



pc ^ nil 

Tasks: The locally controlled actions of process i form a single task. 



Table 1. The actions and transition relation of AP. 
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process that is at round r or higher has its value equal to v. Since the verihcation 
of validity and agreement is reduced to the analysis of ordinary nondeterministic 
systems, it is not our interest here to pursue such direction and we refer the reader 
to [33] for further details. 

For the wait-free termination property we prove that the algorithms terminates 
within an expected constant number of rounds and we relate later the round com- 
plexity to the time complexity. That is, we prove the following. 

Theorem 7. The algorithm of Aspnes and Herlihy terminates within a eonstant 
expeeted number of rounds. □ 

We use progress statements to derive our result. Dehne the following sets of states. 

TZ the set of reachable states of AH such that there is an active process; 

T> the set of reachable states of AH such that there is no active process. 



Let (pMaxRound be a complexity measure that counts the number of new rounds 
visited within an execution fragment, i.e., 4>MaxRound{oi) = Istate(a). max-round — 
fstate{a).rmax, where s. max-round denotes the highest round number of the pro- 
cesses in state s. Our objective is to show that the progress statement 



7 ^ 



4>MaxRou 

P ' 



i<3 



V 



( 1 ) 



is valid for a number p that is independent of n, the number of processes. Then, using 
Proposition 6, we can derive from (1) that a state of T> is reached within expected 
4/p rounds, that is, within a constant expected number of rounds. Note that fairness 
implies that from every state of TZ — V the probability of scheduling a transition is 
1, thus satisfying the condition for the applicability of Proposition 6. 

The advantage of using the progress statement (1) is that we are left with a 
property that can be verihed by analyzing a Rnite number of rounds. However, 
the analysis of Statement (1) is still too complex. The informal argument to prove 
Statement (1) argues that either a decision is reached, or eventually some process 
moves to a new fresh round. Once a new round is reached, we know that no coin 
has been flipped yet at that round. Furthermore, if all the coins flipped at the new 
round give the same result, then a decision is reached within two other rounds. In 
order to reflect the informal argument, we decompose Statement (1) into two parts 
(property compositionality) and use Proposition 5 to combine them. For v G {0, 1}, 
define the following set of states. 



Tv the set of states of TZ where there exists a round r and a process I such that 
round(l) = r, value(l) = v, ohsj = 0, and for all processes j fz f round(j) < r. 



Then, 
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and 



T 

J V 



d<2 



V. 



( 3 ) 



In order to show the validity of Statement (2) and (3) we identify two properties 
of AP and two properties of CF that can be composed together to yield the hnal 
result (process compositionality). The properties of AP are the following: 



D1 If AP[ is in a state s of TZ and all invocations to the coin flippers on non-failing 
ports get a response, then a state from F'oUJ-'iU'D is reached within one round. 

D2 If AP[ is in a state s of fFy, all invocations to the coin flippers on non-failing 
ports get a response, and all invocations to CF g max-round get only response v, 
then a state from V is reached within two rounds. 



The properties of each CFr are the following. 

Cl For each fair probabilistic execution fragment of CFr that starts with a reachable 
state of CFr, the probability that each invocation on a non-failing port gets a 
response is 1. 

C2 For each fair probabilistic execution of CFr, and each value v G {0,1}, the 
probability that all invocations on a non-failing port get response v is at least p, 

0 < p < 1. 

Properties D1 and D2 are properties of an ordinary nondeterministic system and 
can be analyzed by means of existing techniques (invariants and liveness arguments). 
Therefore, we do not deal with their analysis in this paper. Properties Cl and C2 
are properties of the coin flippers. Their proofs involve the analysis of a random walk 
[13] and are postponed to the following sections. We emphasize that, by decomposing 
the system into AP and CF , the main probabilistic analysis of the algorithm is done 
on the coin flippers only. 

Our hnal objective for this section is to show how properties Dl, D2, Cl, and 
C2 can be composed to yield Statements (2) and (3). To this purpose we use the 
results about the projections of a probabilistic execution (cf. Proposition 1). 

Propositions. Assuming that properties Cl and Dl are valid, Statement (2) is 
valid. 



Proof. Let be a probabilistic execution fragment of AF[ that starts from a state 

of TZ. Let 0 be the set of executions of Ch where each invocation to any coin 
flipper on a non-failing port gets a response. By the dehnition of projection, the 
executions of 0\AP satisfy the premise of Dl, and thus in each execution of 0 a 
state from TiA ToAV is reached within one round. Thus, it is sufficient to show 
that Ph[0\ = 1 - Let, for each i > I, 0i be the set of executions of Ch where each 
invocation to CFi on a non-failing port gets a response. Then 0 = nj>i0j-. Observe 
that, by dehnition, 0j- is the inverse image under projection of the set of executions 
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of where each invocation on a non-failing port gets a response. From Cl, 

for each i, PH\CF,[^i\ CFi] = 1, and thus, by Proposition 1, Pnl^i] = 1- Therefore, 
Ph[0] = 1 since, from probability theory, any countable intersection of probability 
1 events has probability 1. 



Proposition 9. Assuming that properties Dl, D2, Cl and C2 are valid, State- 
ment (3) IS valid. 



Proof. Let be a probabilistic execution fragment of AH that starts from a state 
So of P'v, and let r = sq .max-round . Let 0 be the set of executions of fin where 
each invocation to any coin flipper on a non-failing port gets a response and where 
each response of CFr has value v. By the dehnition of projection, the executions of 
0\AP satisfy the premise of D2, and thus, by D2, in each execution of 0 a state 
from T> is reached within two rounds. Thus, it is sufhcient to show that Ph[0] > P- 
Let, for each i > 1, 0j- be the set of executions of P2h where each invocation to CFi 
on a non-failing port gets a response. Furthermore, let 0' be the set of executions 
of P2h where no response of CFr has value v. Then, 0 = (nj>i0j) H 0' . Observe 
that, by dehnition, 0j- is the inverse image under projection of the set of executions 
of fijj^cF, where each invocation on a non-failing port gets a response, and 0' 
is the inverse image under projection of the set of executions of fin] CFr where 
each response has value v. From Cl, for each i, PH\CF,[^i\ CFi] = 1, and thus, 
by Proposition 1, PniCi] = 1- Since sq £ and r = sq. max-round , H\CFr is a 
probabilistic execution of CFr (the start state of H\CFr is a start state of CFr), 
and thus property C2 can be applied. From C2, PH\CFr[Cr\ CFr] > p, and thus, by 
Proposition 1, PnlOf] > P- Therefore, Ph[0] > P since any countable intersection of 
probability 1 events has probability 1 and the intersection of a probability 1 event 
with an event with probability p has probability at least p. 



7 Example: a Coin Flipping Protocol 

The algorithm of Aspnes and Herlihy relies on a coin hipper that satishes the prop- 
erties Cl and C2 mentioned earlier. The algorithm for the coin flipper is given in 
terms of n processes that interact through a centralized multiple-write single-read 
counter. Each of the n processes works as follows: once a request for a flip is received, 
it reads the value of the counter to check whether it is beyond one of the barriers Kn 
or —Kn, where K is a Rxed constant. If the counter is above Kn, then the process 
returns value 1; if the counter is below —Kn, then the process returns 0; otherwise, 
the process first flips a fair coin to decide whether to increment or decrement the 
value of the counter, and then starts again. 

If after each coin flip we look at the difference between the heads and tails 
obtained so far, we observe that this number increases/decreases with probability 
1/2 at each step. This process is called a random walk. By looking at the structure 
of the coin flipping protocol, we observe that the value of the shared counter may 
differ by at most n from the current value of the difference between heads and tails. 
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Therefore, as soon as the difference between heads and tails goes beyond one of the 
barriers ±(A' + l)n, all the processes return a value. From random walk theory this 
property holds with probability 1. Furthermore, if the barrier (K + l)n is reached 
before the barrier —(K — l)n, then all the processes return 1. From random walk 
theory this property holds with probability (K — l)/2K, our p in property C2. A 
symmetric argument holds for the case where all processes return 0. 

So far we have argued informally that the coin flipping protocol works correctly 
since it behaves like a random walk. However, how can we be sure that there is really a 
random walk going on in the algorithm? Is there any way that the nondeterminism 
can affect the randomized process we have identihed? For example, how can we 
guarantee that the scheduler cannot prevent a process from flipping whenever one 
of the barriers ±Kn is too close? Indeed, the scheduler can prevent processes from 
flipping; fortunately, this situation occurs only if all the processes that are flipping 
fail. The main problem here is that the above argument did not appear in our 
informal analysis, and the absence of such an argument could be the source of errors 
in general (cf. [36] for an example). 

Our approach to this problem is to provide general theorems that separate the 
probabilistic argument (properties of the random walk) from the nondeterministic 
argument (how the scheduler can affect the random walk), so that each problem can 
be analyzed in its own held. We call such results com lemmas [38, 25, 32], which are 
an instance of feature compositionality. 



8 Compositionality Using Coin Lemmas 

A useful technique to prove the validity of a probabilistic property for a probabilistic 
automaton M is the following [32]: 



1. choose a set of random draws that may occur within a probabilistic execution 
of M , and choose some of the possible outcomes; 

2. show that, no matter how the nondeterminism is resolved, the chosen random 
draws give the chosen outcomes with some minimum probability p; 

3. show that whenever the chosen random draws give the chosen outcome, a state 
from U' is reached within c units of complexity (fi. 

The Rrst two steps can be carried out using the so-called com lemmas [25, 32, 38], 
which provide rules to map a stochastic process onto a probabilistic execution and 
lower bounds on the probability of the mapped events based on the properties of the 
given stochastic process; the third step concerns non-probabilistic properties and can 
be carried out by means of any known technique for non-probabilistic systems. Coin 
lemmas are essentially a way of reducing the analysis of a probabilistic property to 
the analysis of an ordinary nondeterministic property. We refer the reader to [38] 
for several examples of coin lemmas. Here we illustrate a coin lemma for symmetric 
random walks. 
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8.1 A Coin Lemma for Random Walks 

Roughly speaking, a random walk is a process that describes the moves of a par- 
ticle on the real line, where at each time the particle moves in one direction with 
probability p and in the opposite direction with probability (1 — p). In this section 
we present a coin lemma for symmetric random walks. That is, we present a rule 
for choosing events within a probabilistic execution fragment that are guaranteed to 
have properties similar to the properties of random walks where p = 1/2. A more 
general result is given in [33]. 

Let M be a probabilistic automaton and let Acts = {flzpi, ■ ■ ■ be a subset 

of Acizons(M). Let S = {( Ui , Ul), ( , U^), . . . ,(U^ , &/)} be a set of pairs where 
for each i, 1 < i < n, Uj^, U* are disjoint subsets of States(M) such that for every 
transition (s,fUp-,V) with an action fl^p^, 12 C Iff' U Uf , and P[Ul^] = T’[R/] = 
1/2. The actions from Acts represent coin flips, and the sets of states and f// 
represent the two possible outcomes. Given a Rnite execution fragment a of M , let 
Dtff Acts s(“) denote the difference between the heads and the tails that occur in 
H . Let z, B, and T be natural numbers, and let B < T. The value of z denotes the 
starting point of the particle, while B and T denote barriers in the real line. For 
each finite execution fragment a, let z + Dtff (a) denote the position of the particle 
after the occurrence of a. For each probabilistic execution fragment H oi M , let 
Top[B , T, z\{H) be the set of executions a of [2h such that either the particle reaches 
the top barrier T before the bottom barrier B, or the total number of “flips” is finite 
and the particle reaches neither barrier. Define the symmetric event Bot[B, T, z](H), 
which is the same as Top except that the bottom barrier B should be reached before 
the top barrier T. Finally, define the event Either[B, T, z](H) as Top[B, T, z](H) U 
Bot[B, T, z](H), which excludes those executions of M where infinitely many “flips” 
occur and the particle reaches neither barrier. 

Proposition 10. Lei H be a probabtltsitc execution fragment of M , and let B < 
z <T. Then 

1. Ph[Top[B, T, z](H)] > (z - B)/(T - B). 

2. Pff [Bot[B, T, z]{H)] >(T- z)/(T - B). 

5. Pff[Either[B,T,z](iL)] = 1. □ 

Therefore, we know lower bounds on the probability of the events expressed by 
Top, Bot, and Either, which are closely connected with our informal argument of 
correctness for the coin flipping protocol. Note that the events contain executions 
where finitely many coins are flipped and no barrier is reached. During the analysis 
of the events (with no probability involved) these executions appear, and therefore 
we are forced to analyze the case where the scheduler prevents the protocol from 
reaching one of the barriers. 

We conclude with a result about the expected complexity of a random walk. Let 
4>Acts{ot) be the complexity measure that counts the number of actions from Acts 
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that occur in a. Define <t>Acts,B,T,z to be the truncation of <j)Acts at the point where 
one of the barriers B and T is reached. Then we can prove an upper bound on the 
number of expected flip actions that occur before reaching one of the barriers. 

Proposition 11. Let H be a prohahiUstie exeeutton fragment of M , and let 0 be a 
full eut of H . Let B < z < T . Then, ^ t ^ ^ + (B + T)z — BT. □ 



8.2 Analysis of the Coin Flipping Protocol 

We build a coin flipping protocol that satisRes Cl and C2 with p = (LL — l)/2LL . The 
protocol is based on random walks. We define the protocol by letting a probabilistic 
automaton DCN r (Distributed CoiN) interact with a non-probabilistic counter CT^ 
(CounTer), that is, CF^ = DCNr || CTr- In this Section, DCNr is distributed while 
CTr is composed of n processes that receive requests from DCNr and read/update 
a single shared variable. In Section 9 we discuss how to decentralize CTr - Since the 
protocols for DCNr and CTr are the same for any round r, we drop the subscript 
r from our notation. In DCN each process flips a fair coin to decide whether to 
increment or decrement the shared counter. Then the process reads the current 
value of the shared counter by invoking CT, and if the value read is beyond the 
barrier —LLn (+A'n), where LL is a fixed constant, then the process returns 0 (1). 
The specification of CT states that an increment or decrement operation always 
completes unless the corresponding process fails, while a read operation is guaranteed 
to complete only if increments and decrements eventually cease. 

For the analysis of the coin Ripping protocol we start with part 3. Let Aets be 
{fUpi,...,fUp„}, and let S be {([/(, U^)}, where is the 

set of states of CF where process j has just Ripped me {fpcj = me), and is the 
set of states of CF where process j has just Ripped dee (fpCj = dee). Given a finite 
execution fragment a of CF , let 4>mc{o() be the number of coin flips in a that give 
me, and let 4>dec{o() be the number of coin flips in a that give dee. 

Lemma 12. Let a be a fair exeeutton of CF , sueh that a G Either[— (A' + l)n, (LL + 
l)n,0](A) for .some probabtUstte exeeutton H of CF. Then m a eaeh mvoeation on 
a non-fatlmg port gets a response. □ 

Lemma 13. Let a be a fair exeeutton of CF, sueh that a G Top[— (A' — l)n, (LL + 
l)n,0](A) for some probabtUstte exeeutton H of CF . Then m a every mvoeation on 
a non-fatlmg port gets response 1. □ 

The proofs of Lemmas 12 and 13 follow from simple invariant properties and do not 
involve probability. The main idea is that the value of the shared counter remains 
beyond LLn {—Lin) once the barrier (A' + l)n (—(K + l)n) is reached. A symmetric 
argument is valid for Bottom[— (A' — l)n, (LL + l)n, 0](A). 

At this point properties Cl and C2 can be proved by simple applications of the 
coin lemma for random walks. 
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Proposition 14. The com flipper CF satisfies Cl, That is, for each fair probabilis- 
tic execution fragment of CF that starts with a reachable state of CF , with probability 
1 each invocation on a non-failing port gets an answer. 

Proof. Let be a fair probabilistic execution fragment of CF that starts with a 
reachable state s of CF , and let a be a Rnite execution of CF such that Istate(a) = s. 
Let z = ftncio!) — fdecio!). If cx' is an execution of the event Either[— (/L + l)n, (K + 
l)n, z](F[), then a ^ a' is an execution of Either[— (/L — l)n, (K + l)n, 0](FT) for 
some fair probabilistic execution FT of CF , and by Lemma 12, every invocation to 
CF in a ^ a' gets a response, and therefore every invocation to CF in a' gets a 
response. By Theorem 10, [Either[— (A' + l)n, (K + l)n, z](F[)] = 1. 

Proposition 15. The coin flipper CF satisfies C2 with p = (K + 1)/2A', That is, 
fixed V G {0, 1}, for each fair probabilistic execution of CF, with probability at least 
(K — l)f2K each invocation to CF on a non-failing port returns value v. 

Proof. Assume that t; = 1; the case for t; = 0 is symmetric. Let A be a fair prob- 
abilistic execution of CF . If a is an execution of Top[— (A' — l)n, {K -\- l)n, 0](A), 
then, by Lemma 13, every invocation to CF in a gets response 1. By Theorem 10, 
Aff [Top[-(A - l)n, (A + l)n, 0](A)] > (A - 1)/2A. 



9 Compositionality Using Refinements 

A well known compositional verification technique for ordinary automata is based 
on the notions of forward/backward simulation [27] and bisimulation [29]. These 
notions can be extended to probabilistic automata as well [22, 39]. The simulation 
method is sound for the notion of trace inclusion [27], which can also be used as a 
notion of implementation. The same is true for probabilistic automata [37, 38], and 
the algorithm of Aspnes and Herlihy provides again a significative example of how 
probabilistic simulation relations enable compositional reasoning. 

In order for the algorithm of Aspnes and Herlihy to be really wait-free, the counter 
CT must be distributed among all the processes of a system. The distributed imple- 
mentation of CT, which we denote by DCT (Distributed CounTer), is presented in 
[2]. We are not interested in the details of the implementation here since there is no 
probability involved. It is possible to verify that DCT implements CT by exhibit- 
ing a refinement mapping [27] from DCT to CT . This part of the proof is simple 
and does not involve probability. Then we use the fact that an ordinary refinement 
is a special case of a probabilistic refinement, and the fact that the existence of 
refinements is preserved by parallel composition to lift to the whole algorithm the 
refinement from DCT to CT, thus showing that DCT can replace CT in AH . 

We emphasize that in the analysis above there is no probability involved. The 
decomposition of the coin flipping protocol into two parts, the processes that do flip 
coins and the shared counter, allows us to use probabilistic arguments only in those 
places where probability is really involved. 
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10 Time Analysis by Lifting Complexity Measures 



In this section we derive an upper bound on the time to reach V once all processes 
have some minimum speed. We achieve this result by studying the expected number 
of me and dec events (increments and decrements of the shared counter) that occur 
within the coin flippers and then converting the new expected bound into a time 
bound. This is done by studying several properties that express relationships between 
different complexity measures, and then lifting the results to expectations, again an 
example of feature compositionality. Again we omit all the details that do not rely 
on probability and we refer the interested reader to [33]. 

We change slightly our formal model to handle time. Specihcally, we add a com- 
ponent .now to the states of all our probabilistic I/O automata, and we add the set 
of positive real numbers to the input actions of all our probabilistic I/O automata. 
The .now component is a nonnegative real number and describes the current time 
of an automaton. At the beginning (i.e., in the start states) the current time is 0, 
and thus the .now component is 0. The occurrence of an action d, where d is a 
positive real number, increments the .now component by d and leaves the rest of the 
state unchanged. Thus, the occurrence of an action d models the fact that d time 
units are elapsing. The amount of time elapsed since the beginning of an execution 
is recorded in the .now component. Since time-passage actions must synchronize in 
a parallel composition context, parallel composition ensures that the .now compo- 
nents of the components are always equal. Thus, we can abuse notation and talk 
about the .now component of the composition of two automata while we refer to 
the .now component of one of the components. We dehne a new complexity measure 
(/t(a) as the difference between the .now components of the last and Rrst states of 
a. Informally, <f>i measures the time that elapses during an execution. We say that 
an execution fragment a of a probabilistic automaton M is well-timed if each task 
does not remain enabled for more than one time unit without being performed. 

We give some preliminary definitions. Let, for each r > 0, DCFr (Distributed 
Coin Flipper) denote DCNr \\DCTr. Let DAH (Distributed Aspnes-Herlihy) denote 
AP II (\\r>iDCFr). For an execution fragment a of DCFr or of DAH , let 4'fUp,r{oi) be 
the number of flip events of DCFr that occur in a, and let </jd_r(«) be the number 
of me and dec events of DCFr that occur in a. For each execution fragment a of 
DAH let 4>id{oi) be the number of me and dec events that occur in a. 

We start with some non-probabilistic properties about the new complexity mea- 
sures. The first result. Lemma 16, provides a linear upper bound on the time it takes 
for DAH to span a given number of rounds and to flip a given number of coins under 
the assumption of well-timedness. The next two results state basic properties of the 
coin flipping protocols. That is, once a barrier ±(/F -f l)n is reached, there are at 
most n other flip events, and within any execution fragment of DCFr the difference 
between the me, dec events and the flip events is at most n. 

Lemma 16. Lei a be a well-timed execution fragment of DAH , and , suppo.se that 
all the states of a, with the possible exception of Istate(a) are active, that is, are 
states of TZ. Let R = f. siaie(a). max-round . Then, </t(a) < diTF{(f)MaxRound{oi) + 
R) -\- d'jnfidio^) + dsn"^ for some constants d\, d'j, and d^. □ 
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Lemma 17. Let a = a\ ^ U 2 he a finite exeeution of DCFr, and suppose that 
\D^ff Acts, > {K + l)n. Then <n. □ 

Lemma 18. Let a he a finite exeeution fragment of DCF r- Then, 

C F ri. □ 

We now deal with probabilistic properties. First, based on our results on ran- 
dom walks and on Lemma 17, we show in Lemma 19 an upper bound on the ex- 
pected number of coin flips performed by a coin flipper. Then, in Lemma 20 we 
use Lemma 18 and our results about linear combinations of complexity measures to 
derive an upper bound on the expected number of increment and decrement oper- 
ations performed by a coin flipper, and we use our compositionality result about 
complexity measures to show that the bound is preserved by parallel composition. 
Finally, in Lemma 21 we use our result about phases of computations to combine 
Theorem 7 with Lemma 20 and derive an upper bound on the expected number of 
me and dee events performed by the algorithm. 

Lemma 19. Let H he a prohahilistie exeeution fragment of DCF ^ that starts from a 
reaehahle state, and let 0 he a full eut of LL . Then fiLL ,0] < (LC + + n. □ 

Proof. Let s be the start state of LL , and let a be a Rnite execution of DCF^ with 
s = Istate(a). Let z = ftncict) — fdecict). If \z\ > (LC + l)n, then, by Lemma 17, 
for each q C 0, 4>fUp,r{q) < n, and thus ,^[LL , 0] < n. If \z\ < (LC + l)n, 

then, by Proposition il, + (K + < (K + 

l)^n^, that is, the event denoted by 0 is satisfied within expected (LC + l)^n^ flip 
events, truncating the count whenever an absorbing barrier ±(/F + l)n is reached. 
Once an absorbing barrier is reached, by Lemma 17 there are at most n other flip 
events. Thus, for each state q of LL , ffitp,r(q) < fActs,-(K+i)n,(K+i)n,z{q) + n. By 
Proposition 2, E,p^,^ fiLL, 0] < (LC + l)^n^ + n. 

Lemma 20. Let H he a prohahilistie exeeution fragment of D ALL that starts from a 
reaehahle state, and let 0 he a full eut of LL . Then E,p,,^ fiLL , 0] < {K F l)^n^ F 2n. 

□ 



Proof. By Lemma 18, for each execution fragment of a of CFr, < (f)fltp,r(o!)F 

n. By Proposition 2, E,p,j fiLL,0] < E,pp,^fiLL,0]Fn. By Lemma 19, E,pp,^ fiLL,0] < 
{K F l)^n^ F n. Thus, ^ [LL, 0] < [K F l)^n^ F 2n. 

Lemma21. Let LL he a prohahilistie fair exeeution fragment of DALL with start state 
s, and let R = s. max-round . Suppose that s is reaehahle. Let 0 denote the set of 
minimal states of LL where a state from V is reaehed. Then E,p,fiLL, 0] = O(Rn^). 

□ 

Proof. If i? = 0, then 0 = {s}, and thus E,p,fiH,0] = 0 = 0{RrC). For the rest 
of the proof assume that i? > 0. Given a state q of H , we know that 4>id{q) = 
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(t>id,i{q) + h (t>id,R{q) + where (jd'iq) = Y.r>o^ id,r+R{q)- For each r > 0, 

let 0r be the set of minimal states q of H such that <f>MaxRound{q) > r. Then, for 
each q G 0^, 4’id,r+R(q) — 0; for each state q of H and each r > <f>MaxRound{q), 
4’id,r+R(q) — 0 (CFr+R does uot start until some process reaches round r + R). Fur- 
thermore, by Lemma 20 and Proposition 4, there is a constant c = (K + + 2n 

such that for each probabilistic execution fragment H' of M, each full cut 0' of H' , 
and each i > 0, < c. Therefore, we are in the conditions to apply Propo- 

sition 3: each round is a phase, and the numbers of me and dec events that occur 
within each round are the complexity measures for their corresponding round. Func- 
tion (pMaxRound IS the measure of how many phases are started. By Proposition 3, 
E^i[H, 0] < 0]. By Theorem 7, i® bound by a constant 

(independent of n). Therefore, E^i[H,0] = O(n^). Finally, since for each i,H, and 
0, 0] = O(n^), by Proposition 2, E^^^ [H, 0] = O(Rn^) + O(n^) = O(Rn^). 



The main result is just a pasting together of the results obtained so far. An immediate 
consequence on the algorithm of Aspnes and Herlihy is that, if we know that some 
initialized process does not fail and that the maximum round is 1, then a decision 
is reached within expected cubic time. 



Theorem 22. Lei H be a probabiUsiic fair, well-timed execution fragment of D AH 
with a reachable start state s, and let R = s. max-round . Let 0 denote the set of 
minimal states of H where a state from T> is reached. Then E,p^[H,0] = O(Rn^). 

Proof. By Lemma 16 and Proposition 2, E,p^[H, 0] < 0]-\-din^ R-f 

d^nE^p^fyH , 0] Thus, by Theorem 7 and Lemma 21, E,p^ [H , 0] = O(Rn^). □ 



11 Related Work 

There is an extensive literature on the description and analysis of randomized sys- 
tems. Objects with the same structure as probabilistic automata were introduced 
already by Rabin [34], even though with different motivations and objectives. 

From the modeling point of view there are several results in process algebras 
[23, 15, 42, 3, 44, 8, 7, 9, 45, 10, 46, 17, 40], where algebras like CCS [28], CSP [18], 
and ACP [5] are enriched with probability. Most of the algebras above do not deal 
with nondeterminism and can be classihed into reactive, generative, and stratified 
according to [16]. Our probabilistic automata are an extension of the reactive model 
of [16], while our probabilistic executions are an example of a generative process. 
The algebras of [17, 45] do include nondeterminism. The algebra of [45] is used to 
study a theory of testing for probabilistic systems; the algebra of [17] is based on 
the alternating model of [43] and is used mainly to illustrate a new model checking 
algorithm for probabilistic systems. In the alternating model there is a strict alter- 
nation between states that enable only nondeterministic transitions and states that 
enable a single probabilistic transitions. In our model we avoid the alternation, thus 
obtaining a structure which is closer to ordinary automata. 
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Other techniques for the analysis of randomized algorithms are studied in [30, 
31, 35, 47, 12, 41]. Most of the work concentrates on properties that hold with 
probability 1 and that can be verihed simply by looking at the topology of a system. 
In [30] a notion of extreme fairness is introduced, later generalized in [47] under the 
name of a-fairness. The set of a-fair executions of a system have probability 1; thus, 
the correctness of a system can be verihed just by looking at its a-fair executions. 
The problem with the study of properties that hold with probability 1 is that it is 
not easy to study the expected complexity of a system. 

In [41] a reasoning in the style of weak preconditions is extended to probabilistic 
systems using objects called predicate transformers. The method, though, seems to 
be applicable only to small systems. It would be useful to investigate how methods 
like those of [41] can be integrated with our way of reasoning about systems. In 
[12] a different approach to the analysis of a randomized algorithm is presented. 
An algorithm is viewed as a game between a player called scheduler, which tries 
to degrade performance, and a player called luck, which hxes the outcome of some 
coins trying to improve performance. We say that luck has a winning strategy with k 
moves if luck can make the algorithm work against any scheduler by Rxing the value 
of at most k coins. In such case it is possible to show that the algorithm works with 
probability at least 1/2*. This approach can be seen as an instance of coin lemmas, 
where the game is the rule to map the process of flipping k coins onto a probabilistic 
execution. 



12 Concluding Remarks 

We have shown how different forms of compositionality can be included into a model 
for randomized distributed computation and can be used for the analysis of nontriv- 
ial randomized distributed algorithms. We have identified three forms of composi- 
tionality: process compositionality, property compositionality, and feature composi- 
tionality. Process and property compositionality are just two new names for forms 
of compositionality that are widely known in the literature; feature compositional- 
ity, although typically used in mathematics, is a form of compositionality that is not 
usually considered as compositionality. We have shown how feature compositionality 
plays a crucial role in simplifying the analysis of a randomized system. 

An obvious question is whether we have been lucky in our case study and whether 
the main idea of separating probability from nondeterminism really works. Although 
we cannot claim that it is always possible to obtain a clean separation between 
probability and nondeterminism, our experience with the analysis of randomized 
algorithms [25, 32, 1, 38] gives us a reasonable confidence that a separation can be 
obtained. The original choice of studying the algorithm of Aspnes and Herlihy [33] 
was guided mainly by the idea of looking for an algorithm where such separation 
appeared to be difficult to achieve. Of course, the main problem in the analysis of a 
system is to understand how to decompose the system, which is still nontrivial. 

Another question concerns the generality of the model. In the interaction between 
two systems we always assume that the probabilistic choices of each component 
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are independent. In other words, it is not possible for a process to condition the 
probability distribution associated with the transitions of another process (our model 
is not generative). This restriction limits considerably the held of application of 
our theory. We understand that such limitations exist, and it would be desirable 
to overcome them. Unfortunately, we do not know of any way of extending the 
CSP synchronization style to a model that is not reactive, and on the other hand 
we Rnd such synchronization mechanism very useful for the analysis of distributed 
algorithms. 

Acknowledgments. I would like to thank the organizers of COMPOS’97 for invit- 
ing me to the symposium and for the wonderful exchange environment they have 
provided. 
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Abstract. Existing methodologies for the verification of concurrent sys- 
tems are effective for reasoning about global properties of small systems. 
For large systems, these approaches become expensive both in terms of 
computational and human effort. A compositional verification method- 
ology can reduce the verification effort by allowing global system prop- 
erties to be derived from local component properties. For this to work, 
each component must be viewed as an open system interacting with a 
well-behaved environment. Much of the emphasis in compositional ver- 
ification has been on the assume- guarantee paradigm where component 
properties are verified contingent on properties that are assumed of the 
environment. We highlight an alternate paradigm called lazy eomposition 
where the component properties are proved by composing the component 
with an abstract environment. We present the main ideas underlying lazy 
composition along with illustrative examples, and contrast it with the 
assume-guarantee approach. The main advantage of lazy composition is 
that the proof that one component meets the expectations of the other 
components, can be delayed till sufficient detail has been added to the 
design. 



1 Introduction 

In the last two decades, there has been considerable progress in the verification of 
concurrent, reactive systems. Much of the research has been devoted to the devel- 
opment of formalisms such as temporal logics [Eme90,Lam94,MP92,CM88] and 
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process algebras [Hoa85,Mil80], and verification methods [Bar85,dBdRR90,dB- 
dRR94, Sha93a] based on deduction [Eme90, Lam94, MP92, CM88] and model 
checking [CES86, Kur93, Hol91]. While these techniques are effective on small 
examples — mutual exclusion, basic cache consistency algorithms, and simple 
communication protocols — the difficult problem of scaling these techniques up 
to large and realistic systems has remained largely unsolved. 

Large-scale concurrent systems are usually defined by composing together 
a number of components or subsystems. The typical verification methods are 
non-compositional and require a global examination of the entire system. In 
the deductive approach to verification, this means that a property such as an 
invariant has to be verified with respect to each transition of all of the com- 
ponents in the system. Verification approaches based on model checking also 
fail to scale up gracefully since the global state space that has to be explored 
can grow exponentially in the number of components [GL94]. The purpose of a 
compositional verification approach is therefore to shift the burden of verification 
from the global level to the local, component level so that global properties are 
established by composing together independently verified component properties. 

To motivate compositional verification, we can consider a very simple exam- 
ple of an adder component P shown in Figure 1 that adds two input numbers 
X and y and places the output in .z. Here x, y, and .z can be program variables, 
signals, or latches depending on the chosen model of computation. The system 
containing P as a component might require its output .z to be an even number, 
but obviously P cannot unconditionally guarantee this property of the output 
. 2 . It might be reasonable to assume that the environment always provides odd 
number inputs at x and y, so that with this assumption it is easy to show that 
the output numbers at .z are always even. Only local reasoning in terms of P is 
needed to establish that .z is always even when given odd number inputs at x 
and y. 

If, as is shown in Figure 2, P is now composed with another component Q 
that generates the inputs at x and y, then to preserve the property that only 
even numbers are output &t z, Q must be shown to output only odd numbers 
at X and y. However, the demonstration that Q provides only odd numbers as 
outputs at X and y might require assumptions on the inputs taken by Q, where .z 
itself might be such an input. If in showing that Q produces odd outputs at x and 
y, one has to assume that the .z input is always even, then we have an obvious 
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Fig. 2. Odd and even number generators 



circularity and nothing can be concluded about the oddness or evenness of a:, y, 
and If this circularity can somehow be broken, we then have a form of well- 
founded mutual recursion between P and Q that admits a proof by simultaneous 
induction that x and y are always odd and ^ is always even. The circularity can 
be broken by noting that that a .z output for P is even as long as the preceding 
X and y inputs are odd, and the x and y outputs for Q are odd as long as the 
preceding .z input is even. 

The assume-guarantee paradigm is the best studied approach to composi- 
tional verification [AL93, AL95, AP93,CMP94,Col93,Hoo91, Jon83,MC81,PJ91, 
Pnu84, Sta85,XCC94, XdRH97, Zwi89]. In this approach, a property of a com- 
ponent is stated as a pair (A, C) consisting of a guarantee property C that the 
component will satisfy provided the environment to the component satisfies the 
assumption property A. The interpretation of (A, C) has to be carefully defined 
to be non-circular. Informally, a component P satisfies (A, (7) if the environ- 
ment to P violates A before the component fails to satisfy C. When two or more 
components. Pi satisfying {Ai,Ci) and P 2 satisfying (A2,(72), are composed 
into a larger component f’i||f 2 , the assumption A together with property Ci of 
component Pi must be used to show that Pi does not violate assumption A 2 , 
and correspondingly, A and C 2 must be used to show that P 2 does not violate 
A 2 . Discharging these proof obligations allows one to conclude that the com- 
posite component f’i||f 2 has a similar property (A, (7) where C follows from A, 
Cl , and C 2 ■ The assume-guarantee technique as described informally still suffers 
from the earlier circularity. The formal details of the assume-guarantee technique 
are deferred to Section 2. The assume-guarantee approach has been more widely 
studied than actually used. The primary difficulty in applying this approach for 
compositional verification is that it requires component guarantee properties to 
be strong enough to entail any potential environment constraints. It is obviously 
not easy to anticipate all the potential constraints that might be placed on a 
component by the other components in a system. 

The lazy composition approach advocated in this paper builds on conven- 
tional techniques while avoiding the difficulties associated with the assume- 
guarantee approach [Sha93b] . Lazy composition works at the level of the specifi- 
cation of component behavior. In lazy composition, a property (7 of a component 
specified as P is actually proved of the system P\\E obtained by composing P 
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with an abstract environment specification E that captures the expected behav- 
ior of the environment. When the component specification P is composed with 
another component specification Q, then C might no longer be a property of the 
specification P\\Q since Q might not satisfy the constraint E. However, (7 is a 
property of the composition P\\{Q A E) obtained by strengthening Q to addition- 
ally satisfy E. This allows local properties such as C to be used as global prop- 
erties of the specification of a larger system. If in fact the combined specification 
P\\{Q A E) can be simplified to P||Q, then clearly the constraint E is redundant 
and can be eliminated. However, it is not imperative that (properties guaran- 
teed by) Q already imply E as is the case with the assume-guarantee technique. 
While the assumed environment specification has eventually to be shown to hold 
of the other components in the system, this proof obligation can be discharged 
lazily as the system design is being refined. The demonstration that P\\{Q A E) 
is refined by P\\Q uses inductive reasoning on computations so that any possi- 
ble circularity between assumptions E and guarantees C is avoided. Thus lazy 
composition allows global properties to be proved by local component-wise rea- 
soning combined with a one-time demonstration that each component satisfies 
the accumulated constraints imposed by the other components. There are sev- 
eral other tradeoffs between lazy composition and assume-guarantee reasoning 
that are discussed in Section 3. 

The lazy composition approach is quite general and can be applied to a wide 
variety of synchronous and asynchronous computational models, but this paper 
considers only one such model, namely, asynchronous transition systems with 
interleaving composition. 

We first present some background on compositional verification in Section 2. 
Lazy composition is introduced in Section 3. Some examples illustrating the use 
of lazy composition in verifying safety properties are presented in Section 4. 
The elimination of environment constraints by means of refinement proofs is 
described in Section 5. The verification of liveness properties using lazy compo- 
sition is given in Section 6. A comparison between lazy composition and other 
compositional approaches is given in Section 7. 

2 Background 

The presentation in this paper is entirely at the semantic level where we are 
dealing with states, predicates (sets) and relations on states, computations as 
infinite sequences of states, and properties as sets of computations. We will also 
speak of sets of sequences and properties interchangeably. 

Asynchronous Transition Systems. In its simplest form, an asynchronous tran- 
sition system is a triple {S;I,N) of a state type E, an initial set of states I, 
and a reflexive (stuttering-closed) next-state relation N that defines the possible 
atomic actions of the system. Seen as a closed system, i.e., one with no interac- 
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tion with an outside environment,^ a valid computation of such a system consists 
of an infinite sequence of states a whose initial state cr(0) is in I, i.e., I{a{0)) 
holds, and N holds of each pair of adjacent states, i.e., for all i, N{a{i),a{i + 1)). 
A property is a set of infinite state sequences. If P is an asynchronous transition 
system, the set of its computations in the closed interpretation is represented 
as [P]. The transition system P has a property A, in symbols, |P] |= A, iff the 
set of computations [P] is a subset of the set of sequences corresponding to the 
property A. We write |= A when the property A is valid, i.e., contains all the 
infinite sequences. Properties (sets of infinite sequences) can be combined with 
connectives ^A (complement) , A V B (union) , A A B (intersection) , and Ad B 
which is defined as ^A V B. One transition system P refines another transition 
system Q when |= |P] D |Q]. In typical usage below, a transition system will 
be given as {I,N) leaving the state type S implicit. 

Safety Properties. A safety property informally asserts that nothing bad hap- 
pens during a computation. Let a[i] represent the finite prefix consisting of the 
first i states cr(0) . . . a{i — 1) of a. A safety property [AS85] is one that excludes 
an infinite sequence a exactly when it excludes all extensions a[i] o p of some 
finite prefix a[i] of a. This means that safety properties are falsified by some 
finite prefix of a sequence. For any property A, there is a property A'® (the 
safety closure of A) which is the strongest safety property containing A defined 
as {(T I Vj : 3p : a[i] o p g A}. The property (set) A'® is clearly a safety property. 
If A is a safety property, we say that a[n] € A when a[n] o p g A for some p. 

Liveness Properties. Liveness properties assert that something good eventually 
happens during the computation. Such properties hold of some infinite extension 
of any finite sequence a, i.e, they can always be satisfied by an appropriately 
chosen sequence of states. A liveness property can exclude an infinite sequence 
(7 but must contain some extension of a[i] for each i. Given a property A, let A^ 
(the liveness closure of A) be A V -■A'®, where -■A'® represents the complement 
of A^. Then A^ is a liveness property because if for some a there is no p such 
that a o p g A-^, then since A C A-^, Vp : a o p ^ A, but then Vp : a o p ^ A'®. 
This is a contradiction since every infinite sequence must be in A^ or A'®. Thus 
every property A can be expressed as the conjunction of a safety property A'® 
and a liveness property A-^ [Sch87]. 

Stuttering Invariance. A set of sequences A is stuttering invariant if whenever 
cr[j + 1] o p g A then a[i + 1] o a{i) o p g A. In words, if A contains a sequence, 
then it contains all variants of this sequence obtained by stuttering individual 
states in the sequence finitely often. Stuttering arises naturally when there is a 
notion of an observation of a transition system so that some of the transitions 
have no observable effect. Stuttering invariance is often imposed as a constraint 

^ The closed interpretation here means that each transition of a valid computation 
satisfies the next-state relation N leaving no room for any environment transitions 
other than those already specified by N. 
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on the allowable properties so that the resulting transition system can always 
be implemented using internal unobservable state components. 

Published explanations of assume-guarantee proof techniques often implicitly 
rely on stuttering invariance without explicitly mentioning it. Stuttering invari- 
ance is needed to argue that if we are given safety properties A and B such that 
a[i] e A and a[i] € B, then a[i] € A A B. Such a result is valid if A and B 
are stuttering invariant properties. To see how the result can fail to hold, let 
A consist of the strictly increasing sequences of even numbers and B consist of 
the strictly increasing sequences of prime numbers. Both A and B are safety 
properties that are not stuttering invariant. The singleton prefix (2) is in both 
A and B but ^ A 5 is empty. ^ 

Expressing Properties. The above notions of computation and property are typ- 
ical of the use of linear-time temporal logics for stating and proving properties 
of closed systems. Examples of such logics include 

— Manna and Pnueli’s LTL [MP92] with the temporal operators Q (next- 
time) , □ (always) , and O (eventually) . Properties expressed in LTL that use 
the O operator are not necessarily stuttering invariant. 

— Chandy and Misra’s Unity [CM88] with operators invariant, stable, nnless, 
nntil, and leadsto which are applied to state predicates so that temporal 
formulas are not nested. Unity properties are stuttering invariant. 

— Lamport’s temporal logic of actions [Lam94] which drops the next-time 
operator from linear-time temporal logic but allows temporal operators to 
range over actions, i.e., binary relations over states. TLA is designed to 
admit only stuttering invariant properties. 

In the examples below, we restrict ourselves to some simple operators for 
defining properties. If p is a predicate on states, then 

1. invariant p holds of cr iff Vj : p{a{i)). This is a safety property. 

2. eventnally p holds of cr iff : p{a{i)). This is a liveness property for any 
satisfiable predicate p since any finite sequence can be extended to one in 
which p eventually holds. 

For a given transition system (/, N) , the invariance of p can be proved using 
induction by showing that for all states s in X', h I{s) D p{s), and for all states 
s and s', and h p(s) A N(s, s') D p(s'). 

Components as Open Systems. The next step is to extend the model to open 
systems so that components can be independently specified and composed to 
form larger systems. If X is the set of global states of the large system, then a 
component i can be given as a triple (X; Ii,Ni). However, we can no longer take 

® A weaker requirement than stuttering invariance suffices for the soundness of the 
assume-guarantee proof reasoning methods. A safety property A must include the 
infinite sequence cr[i -I- 1] o cr(i)“ obtained by infinitely stuttering the last state of any 
nonempty finite prefix a[i 1] in A. 
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the closed interpretation since a computation must include the actions taken 
by other components. In the open system interpretation, a computation is an 
infinite sequence of states whose initial state is in and each pair of adjacent 
states is either related by Ni or is an arbitrary environment transition. The open 
system interpretation is much too liberal and does not admit any interesting 
properties since there are no constraints on the environment actions. This can 
be partially overcome by placing weak constraints on the environment actions, 
e.g., the values of the local variables of a component must be left unchanged 
by its environment. With some constraint on the environment actions, one can 
actually verify reasonably interesting local properties of a component. For ex- 
ample, in TLA [Lam94], the next-state relation of a component is written as 
[N]f which holds of a pair of states s, s' when N{s, s') V /(s') = /(s). The state 
function / typically projects out the local variables of the component so that the 
environment transitions must not affect the values of these variables. In Lynch 
and Tuttle’s I/O automata [LT87], a component is an input-enabled automaton 
with its own local state so that any component properties established with re- 
spect to this interpretation remain globally valid even in composition with other 
components. 

Even with such restrictions on the environment behavior, the open system 
interpretation is somewhat weak since many properties of a component can only 
be proved by assuming a stronger degree of cooperation from the environment. 
We have already seen the example of the adder component of Figure 1 which 
can be shown to always output even numbers when given odd number inputs by 
its environment. 

The Owicki-Gries Method. The Owicki-Gries method [OG76] is the first at- 
tempt at a component-wise decomposition of the verification problem. In this 
method, one proves a global invariant of the composition P 1 WP 2 by showing it 
to be a local invariant of one of the components, say Pi, and a stable predicate, 
i.e., one that is never falsified, of the other component P 2 . In other words, one 
component establishes the invariant and the other component does not falsify it. 
This method is not really compositional since it requires global reasoning on all 
the actions of each component in order to establish an invariant. The Owicki- 
Gries method was originally proposed in the framework of a proof-outline logic 
where program components are annotated with assertions. Such program-based 
proof methods can be quite restrictive when compared to the use of high-level 
behavioral specifications as given by asynchronous transition systems. 

Compositional Verification Using the Assume- Guarantee Approach. The assume- 
guarantee approach originally proposed by Jones [Jon83] and Misra and Chandy 
[MC81] is perhaps the most widely studied compositional verification technique 
for concurrent systems. The presentation of this approach given below is adapted 
from Abadi, Lamport, and Plotkin [AL93, AL95, AP93] and Collette [Col94]. 
An assume-guarantee specification of a a component property is given as a pair 
(A, C) consisting of an assumption property A and a guarantee property C. 

To capture {A,C) is defined as A — > C {A secures C) which is the subset 
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oi A ^ C defined as {cr € ^ D (7 | Vf : a[i] € D a[i + 1] G (7'®}. Thus 

A — > C rules out unrealizable implementations of ^ D (7 that exhibit compu- 
tations where fails before the failure of can be detected by the component. 
Similarly, A — > C {A maintains C) is the set of cr in ^ D (7 such that for all 

i, a[i] & A D a[i] G C. Note that A — > (7 = (^ D (7) A — > G^), and 

A—i>C = {A^C)h (. 4 ^ — > ( 7 ^). 

Composition of components f’i||f ’2 is defined so that [[f’i||f 2 ] is the inter- 
section of |Pi] and 1 ^ 2 ] • Since Pi and P 2 are specified to allow environment 
transitions, the composition of Pi and P 2 includes all the interleavings of Pi 
and P 2 actions, but also contains computations with simultaneous Pi and P 2 
actions. 

The main compositionality rule in the assume-guarantee method [AL95] is 
stated in Theorem 1. 

Theorem 1. 

Pi 1= Ai — > Ci, for j = 1, 2 
1= A^ A Cf A C! D Ai A A 2 

1= A — > {Cl A C 2 — > C) 

P 1 WP 2 1= A A(7. 

In words, in order to show that the composition Pi \\P 2 has property A — > C, 
it suffices to establish the following premises of the compositionality rule: 

1. Each Pi has property Ai — > (7,. 

2. The individual environment constraints Ai and A 2 must be satisfied by the 
conjunction of the safety parts of the joint environment constraint A and 
the guarantee properties Ci and € 2 - 

3. The joint commitment C must be maintained by the individual commitments 
Cl and C 2 when secured by the environment assumption A. 

The formal details justifying the assume-guarantee rule are fairly elaborate, 
but we can briefly convey some of the intuition by sketching the soundness 
argument. It is sufficient to focus our attention on infinite sequences a such that 

a G {Ai — > Cl) A {A 2 — > ( 72 ). To show a € A — > C, we need to prove both 
a e A D C and a e A^ — > C^. The argument proceeds in three steps: 

- a€(A^ A Cf A Cf). 

That is, for any n, a[n] G A'® implies cr[n-|- 1] G (7f A(7f . This can be proved 
by induction on n using premises 1 and 2 while noting that the stuttering 
invariance of A'®, (7f , and (7f is used in this argument. 

^ To obtain a strict interleaving of Pi and P 2 actions, such joint actions can be 
excluded by asserting that the variables written by P\ and P 2 must be disjoint and 
never simultaneously updated. Another approach is to label each transition with 
the agent associated with it, and to have a disjoint set of agents associated with 
components P\ and P^. 
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— a G — > C^. 

By premise 3, for any n, a{n] € implies cr[n + 1] € (7f A . 

From step 1, we therefore have cr[n + 1] € . 

— a G A ^ C . For a G A, since ^ D we have by — > Cf A (7f that 

a G Cf A (7f . By premise 2, this yields cr € A ^ 2 - By premise 1 and the 

definition of — we have that a G C\ f\C 2 - We can then apply premise 3 
with the definitions of the connectives — > and — > to obtain a G C. 

There are some approaches to modular verification based on model check- 
ing that employ a weak form of assume-guarantee reasoning. In the work of 
Grumberg and Long [GL94], assume-guarantee properties {A,C) are treated 

as implications A ^ C and not A — > C. Note that the use of implication for 
assume-guarantee reasoning is not valid in general, and is sound only for a re- 
stricted form of Theorem 1 where the cycle of dependencies between Ai, C 2 , A 2 , 
and Cl has been broken. If A and C are just linear-time temporal logic (LTL) 
formulas, then LTL model checking can be used to verify ^ D G of component 
P since this implication is also in LTL. If G is a CTL or CTL* formula, then 
the situation is more complicated since the implication ^ D G is not a well- 
formed CTL or CTL* state formula, and furthermore, it does not capture the 
intended meaning of A as an assumption [Jos90] which is that G must hold on 
the computation tree whose paths have been pruned according to A. Then, A 
can be chosen as a VCTL formula that characterizes the subtree of the compu- 
tation tree that meets the assumption. For the case of VCTL assumptions and 
synchronous Moore machine composition, Grumberg and Long give a way of 
compiling the assumption A into a tableau automaton so that 1= G 

iff P 1= ^ D G. Kupferman and Vardi [KV96] analyze the complexity of various 
linear and branching-time variants of modular model checking. Alur and Hen- 
zinger [AH96] give an assume-guarantee rule for proving language containment 
in the context of the synchronous composition of a form of Mealy machines called 
reactive modules. 

3 Lazy Composition 

Lazy composition differs from the assume-guarantee approach in several respects. 

1. Components are not treated as blackboxes. Compositional verification merely 
requires that properties be proved locally at the component level. It does 
not require that components be treated as blackboxes for this purpose. The 
assume-guarantee approach requires the assumptions to be discharged solely 
by means of the guarantee properties of a component. The actual imple- 
mentation of the component is never used for discharging proof obligations. 
This means that the guarantee properties must either somehow anticipate 
the possible constraints imposed by other components, or they must contain 
implementation details. Lazy composition on the other hand does not take 
a blackbox view of components and allows the behavioral specification to be 
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used for discharging the constraints imposed by other components. Since a 
typical high-level behavioral specification might not contain enough detail to 
discharge such external constraints, lazy composition allows the constraints 
to be discharged lazily as the specification is being refined. 

Blackbox assume-guarantee specifications can be independently refined to 
yield implementations in terms of smaller blackbox components. Abadi and 
Lamport [AL95] give a decomposition rule for showing that P'\\Q' refines 
P\\Q when P' refines P and Q' refines Q. This rule has a premise similar 
to premise 2 of the compositionality rule of Theorem 1 which has the same 
drawback of requiring the environment constraints to be anticipated in the 
blackbox specification. 

2. Composition is not necessarily conjunction. Conjunction can be used to de- 
fine the interleaving composition of two asynchronous transition systems by 
a suitably chosen global constraint (see [AL95] and Footnote 4). Instead of 
encoding composition using conjunction, we regard the definition of the pre- 
cise notion of composition as something that is fixed by the model of com- 
putation and not by the inference rule for composition. For asynchronous 
composition, one takes the interleaving of the atomic actions of each compo- 
nent, whereas for synchronous composition, i.e., globally clocked systems, 
one takes the conjunction of the atomic actions. Other formalisms that 
have asynchronously operating components with synchronous communica- 
tion, e.g., CSP [Hoa85], can be modelled by means of a suitable definition 
of composition. 

3. Environment assumptions are specified as abstract components not proper- 
ties. One difficulty with environment assumptions as properties is that they 
apply to both the environment and the component. Typically, these con- 
straints should apply only to environment actions and not the component 
actions. If we take the example of a bank account component, the environ- 
ment might be required to only deposit and not withdraw money from the 
component but such a constraint should not apply to the component. There 
is no elegant way of stating this distinction between the component and 
its environment when the environment constraints are stated as properties 
rather than abstract components. 

4. No assume-guarantee proof obligations are generated. With lazy composi- 
tion, properties of a component Pi are proved in the context of an abstract 
environment Ei. The composition rule ensures that all local properties are 
global properties of the composition. It does this by adding (conjoining, as 
explained below) the environment constraints of one component to the spec- 
ification of the other component so that the resulting system has the form 
{Pl^E2)\\{P2^E^). 

This form of composition appears dishonest (and lazy) since it sidesteps 
the question of whether the original specification of one component satis- 
fies the environment assumptions of the other. However, specifications are 
meant to be partial and are therefore not always strong enough to antici- 
pate the environment constraints that can be placed on a component. The 
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best that one can do therefore is assert that if the specifications of each 
component is strengthened with the environment constraints required by 
the other component, then the resulting system satisfies the local proper- 
ties of both components. If a component specification is strong enough to 
discharge any constraints placed on it, then the strengthening is redundant 
and can be eliminated by simplification. Otherwise, an implementation of 
the component is required to satisfy the stronger specification including the 
environment constraint. 

The flexibility in postponing the assume-guarantee proof obligations is needed 
since some proofs might require the additional information that is provided 
when the specification is refined. If these proof obligations have to be proved 
as in the assume-guarantee proof method, then the component specifica- 
tions must be quite detailed and strong. Since no proof obligations are dis- 
charged and environment assumptions impose additional, possibly unantic- 
ipated, constraints on a component specification, a component cannot be 
independently refined in the lazy composition approach. A component can 
only be independently refined when the component specification already im- 
plies all the environment constraints that might be required of it. There is, 
however, an advantage to refining in the global context where these assump- 
tions are known since global properties can be exploited in the refinement 
(see Section 5). 

5. Composition can yield inconsistent specifications. This is also the case when 
composition is defined as conjunction. In the case of lazy composition, this 
can arise because there is no computation that is compatible with the col- 
lection of constraints given in the specification. 

Summarizing the discussion so far, lazy composition takes the middle ground 
between global verification as used in the Owicki-Gries approach and the strictly 
modular, property-based verification used in the assume-guarantee approach. 
Lazy composition is a proof style that uses a suitably weak characterization of 
a cooperative environment in composition with which a component can exhibit 
a given property. Once such an environment has been identified, the familiar 
verification techniques for proving safety, liveness, and refinement properties 
can be used. In the presentation of lazy composition, it will be assumed for 
convenience that there is a fixed environment specification for each component, 
but in practice, the environment can be varied according to the desired property 
of the component. 

We now move on to the details of lazy composition for asynchronous tran- 
sition systems while noting that the techniques can easily be adapted to other 
models and notions of composition. As already stated, an asynchronous transi- 
tion system is given by a triple {JJ; /, N) consisting of the state E, an initializa- 
tion predicate / on the state, and a binary next-state relation N. Given such a 
triple P of the form {S]I,N), the closed interpretation of P is written as [P] 
and defined as the set sequences {(t|/((t(0)) A Vj : N{a{i),a{i + 1))}. We focus 
mainly on closed interpretations since one cannot prove interesting properties of 
computations that admit arbitrary environment actions. When we are talking 
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about components, we will assume that E is the global state type and omit it 
from the transition system. 

Given two transition systems, Pi of the form (/i, A^i), and P2 of the form 
(12,^2), the composition P1WP2 is the transition system (Ji A/2, A^i VA^2)- Note 
that composition essentially yields the interleaving of the component transitions. 

The environment E is also given as a transition system A compo- 

nent together with its environment is given as a pair /’///?. The set of compu- 
tations corresponding to P/lE, i.e., [PHE\, is defined as |P||/ 1 ], i.e., the closed 
interpretation of P\\E. Note that though /’///? and P\\E have the same com- 
putations, the notation /’///? is chosen to emphasize the syntactic asymmetry 
between component P and environment E. 

Given two transition systems Pi and P2, the conjunction of these. Pi A P2, 
is (Ji A l2,Ni A N2). Let Pf denote the component-environment specification 
PiUEi. Given two component-environment specifications Pf and P2, the closed 
co-imposition of these two specifications Pf ® P2 is defined as the transition 
system (Pi A p2)||(P2 A Pi). The open co-imposition of Pf and P2 , written as 
Pj X P2, is defined as {Pf ® P2) // {Ei A E2) and its computations contain actions 
corresponding to 

1 . Pi but respecting P2, 

2 . P2 but respecting Pi, and 

3 . Environment actions respecting Pi and P2. 

The closed co-imposition Pj ® Pj^ yields a system with only the actions 
of Pi and P2, whereas the open co-imposition Pj x Pj^ yields a system with 
environment actions that are constrained to conform to both Pi and P2. Both 
operators are associative and commutative. It is easy to see that the property 
preservation result given in Theorem 2 holds so that [Pf ® P2} and [Pf x P2] 
are both subsets of [Pf], and hence any properties of Pj are also properties of 
Pj ® P2 and Pj X P2 ■ 

Theorem 2 . P |= [Pf ® P |1 D [Pfl 
1 = [Pf X P |1 D [Pfl 

We will henceforth ignore the closed co-imposition operator since its prop- 
erties are similar to those of open co-imposition. The use of the co-imposition 
operation in lazy composition will be illustrated in Section 4 . The obvious prob- 
lem with lazy composition is that it asserts the property preservation of Pf x Pj^ 
and says nothing about Pi ||P2- By discharging proof obligations similar to those 
in Theorem 1 , we can show that the transition system specification Pf x P2 
is equivalent to the specification (Pi ||P2)//(Pi A P2), where the latter system 
contains actions corresponding to Pi and P2 without any restrictions, and the 
environment action Ei A E2. In Section 5 , we show that the environment con- 
straints can be discharged in this manner by showing that P2 refines Ei , and Pi 
refines E2. These refinement proofs can actually be carried out in the context 
of global invariants, i.e., invariants of Pf x P2. The resulting refinement proof 
obligations are similar to the assume-guarantee proof rule where A Cf A Gf 
must entail Ai A ^2 • 
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Fig. 3. A FIFO buffer with environment 

4 Using Lazy Composition 

Lazy composition will be illustrated by means of the example of a FIFO buffer 
component that is composed from two smaller FIFO buffer components. This 
examples has been frequently used with minor variations in the compositionality 
literature [Col93, AL95]. 

A single (bounded or unbounded) FIFO buffer component shown in Figure 3 
consists of a buffer variable b that contains a queue of values, and the input 
and output variables in and out which contain values or are empty, i.e., contain 
a distinguished value _L. Two history variables are used to specify the correct 
behavior of the buffer. The variable ink is a stack of all the non-T values placed 
by the environment into in, and the variable outh is the stack of non-T values 
read by the environment from out. The non-stuttering actions of the buffer are: 

— Read a non-T value from the variable in and enqueue it at the back of b 
while setting in to T. Formally, this is captured by the relation between the 
pre-state {in, b, out, ink, outh) and the post-state {in' , b' , out' , inh' , outh') as 

in ^ 1. 

Ah' = enqueue{in,b) 

, A A in' = T 
read = < . ,, , 

A out = out 

A outh' = outh 

A inh' = inh 

V 

— Dequeue a value from the front of queue b and place this value in the variable 
out when out is empty. Formally, 

nonempty? (b) 

A out = T 
Ah' = dequeue{h) 
write = s A out' = front (b) 

A outh' = push{front{b) , outh) 

A in' = in 
A inh' = inh 
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Fig. 4. FIFO buffer composed from smaller buffers 



In the initial state, all the variables associated with the buffer are empty. 
Formally, 

initb = {out = _L A 6 = outh = null). 

The buffer component P is then given by the pair {initb, read V write). 

The environment component initializes the variables in and inh so that they 
are both empty: 

inite = {in = T A inh = null). 

In each non-stuttering action, the environment leaves b unchanged and may 
change the value of in when empty and may set the value of out to T. Formally, 



load = {in = -L A in' ^ -L A inh' = push{in' , inh)) 

unload = {out T A out' = T A outh' = outh) 

( {load V {in' = in A inh' = inh)) 
env = s A {unload V {out' = out A outh' = outh)) 



Ab' =b 



The environment component E is given by the pair {inite, env). 

It is easy to prove by induction that 

{P//E] 1= invariant inh = in o q2s{b) o outh, 

where o is stack concatenation, q2s{b) converts the queue b into a stack by 
repeatedly pushing elements from the front of queue b, and in is push{in, empty) 
when in ^ J-, and empty, otherwise. We have thus proved an invariant of a buffer 
component P by assuming that the environment behavior is as specified by E. 
Compositional reasoning is used when two such buffers are composed as shown 
in Figure 4 to implement a single buffer. We do this by taking one instance 
Pi! I El of the buffer as specified above but renaming the variables b to bi, out 
to mid, and outh to midh, and a second instance P 2 // E 2 with b renamed to 62, 
and where in and inh are just mid and midh, respectively. In other words, buffer 
Pi communicates values to buffer P 2 via mid. 

Having already proved the invariant above for a FIFO buffer P, the goal 
now is to prove a similar invariant inh = in o q2s{b) o outh, for some b, for the 
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composition {Pi\\P 2 )H{Ei A E 2 ) of the two buffers. However, we cannot use the 
invariant proved of P for composite buffers with Pi and P 2 since those invariants 
are proved for the systems Pi//i?i and P 2 //£^ 2 - 

The claim |= [{Pi\\P 2 )//iEi A i? 2 )l D iPiI/Ei} is not provable since the 
definitions of Pi and P 2 are not strong enough to imply the constraints E 2 and 
El , respectively. This is because Ei specifies that each environment action must 
leave the buffer variable bi unchanged and that the variable in must be written 
only by the environment. The actions of P 2 place no constraints on the update 
of the values of hi or in. Since we cannot demonstrate |= |(Pi 11^2 )// {Ei A i? 2 )l D 
\Pi//Ei\, the invariant for Pf , namely, inh = in obi o midh, cannot be used as 
a global invariant of {Pi\\P 2 ) // (Ei A i? 2 ). 

The best that we can do therefore is to conclude |= \Pf x ^ 2 *^] D [Pf ] A [^ 2 *^], 
so that the conjunction of the individual invariants holds for Pf x P^. Prom the 
conjunction of the two invariants: 

1. {Pt X P^\ 1= invariant inh = in o q2s{bi) o midh 

2. [Pf X P^\ 1= invariant midh = mid o q2s{h2) ° outh 

we can conclude 

X Pj^l 1= invariant inh = in o q2s{hi) o mid o q2s{h2) ° outh. 

So if we take b to be s2q{q2s{hi) o mid o q2s{h2)) where s2q is the inverse of 
q2s and converts a stack back into the corresponding queue, we have the desired 
invariant inh = in o q2s (b) o outh for Pf x P 2 . 

In proving this invariant, we have used only the corresponding invariants 
of the component buffers and some elementary lemmas about the concatena- 
tion operation. We have not directly used the specification of individual buffers 
themselves. We have worked at the level of the specification of the behavior 
of the individual buffers rather than the corresponding program which would 
be a complete specification of each transition. Since specifications can be par- 
tial, it makes sense to conjoin the environment constraints to the component 
specification rather than discharge them as proof obligations. Thus a more de- 
tailed implementation will have to satisfy the higher-level specification of the 
component as well as the constraints on the component imposed by the other 
components in the combined system. 

When refining Pi to a more refined specification or a program in the context 
Pj X P 2 , it is valid to use all the global invariants that have been proved of 
Pj X P 2 . The introductory example involving odd and even numbers can be 
used to illustrate the use of such invariants in refinement. The system P there 
is of the form (Ip,Np) where 

Ip = even?{z) 

Np = {z' = X + y) A {x' = x) A {y' = y) 

If P’s environment constraint D is of the form (Ju, Np) where 

Id = oddl{x) A oddl{y) 
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Nn = odd?{x') A odd?{y') A z' = z 

then we can prove the invariant evenl{z) A oddl{x) A oddl{y) for the system 
PHD. Let Q be defined to be {Iq,Nq) where 

Iq = oddl{x) A oddl{y) 

Nq = {x' = X + z) A{y' = y + z) a {z' = z) 

Let E be the unconstrained system consisting of the everywhere-true initial- 
ization predicate and next-state relation. We would now like to show that the 
constraint D is satisfied by Q, but this is not true in general. It does however 
hold in the context of the invariant evenl{z) A odd?{x) A odd?{y). The use of 
invariants allows |(P//D) x (Q//E)] to be simplified to |T’||Q||Tll since P A E 
simplifies to P, D A E simplifies to D, and Q A D can be simplified to Q given 

h evenl{z) A oddl{x) A oddl{y) A Nq D Nd. 

We show how invariants can be used in proving a refinement relation between 
two transition systems using stepwise simulation in the next section. 

5 Discharging Proof Obligations by Refinement 

We now examine how the familiar notion of refinement via simulation can be used 
to simplify away the environment constraints Ei and E 2 in the lazy composition 
Pi X P 2 . This is analogous to the assume-guarantee proof obligations (premise 2) 
except that lazy composition is more flexible about how and when these proof 
obligations are discharged. Recall that in the assume-guarantee approach, the 
assumptions of one component had to be discharged using the guarantee proper- 
ties of all the components along with the global environment constraints. As we 
noted, this has the disadvantage that the guarantee properties have to be chosen 
to somehow anticipate the likely environment constraints. By contrast, in lazy 
composition, these proof obligations are discharged lazily during refinement. 

The refinement rule establishes the conclusion |= |P] D JQ] by showing that 
each transition of P can be simulated by a transition of Q . In particular, this 
means that P inherits all the properties of Q. The simulation of P transitions 
by Q transitions can be shown in the presence of invariants of P and Q. The 
invariants might be needed because the simulation relation between the actions of 
P and Q might not hold outside their respective reachable states. The invariant 
that is used for P can be an action invariant, a binary relation r on y such that 
Vj : r{a{i),a{i + 1)). In this case, we say that invariant r holds of a. Given a 
state predicate p, an action r, and two transition systems P and Q of the form 
{Ip, Np) and {Iq,Nq), respectively, the refinement rule is stated in Theorem 3. 
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Theorem 3. 

|P] 1= invariant r 
JQ] 1= invariant p 

h p{s) A r{s,s') A Np{s,s') D Nq{s,s') 

\- Ip{s) D Iq{s) 

1 = [^1 3 [ Q 1 

The proof of the refinement rule is by a straightforward induction on the 
length of the computations in |P] . The relevance of the refinement rule for com- 
positional verification is that we can use it to eliminate the constraints imposed 
on one component by another. When composing specifications using the co- 
imposition operator, we end up with a specification Pf x P 2 which is equivalent 
to (Pi A P 2 )||(P 2 A Pi) II (Pi A P 2 ). To eliminate, say, P 2 from this specifica- 
tion, we need to show that (Pi A p 2 )||(P 2 A Pi)||(Pi A P 2 ) can be refined by 
-P 1 IK-P 2 A Pi)||(Pi A P 2 ). The constraint Pi can also be similarly eliminated. 
This kind of refinement can be carried out with the aid of a simple corollary to 
the refinement rule that can be used to show that |[P||Q] refines |P A P||Q] by 
showing that each P transitions can be simulated by an P transition. 

Corollary 4^. 

|(P A P)||Q] 1= invariant p 
h p{s) A Np{s, s') D Ne{s, s') 

\- Ip{s) D Ie{s) 

|=[P||Q1 D[(PAP)||Q1 

Note that any global invariant p can be used in proving the stepwise sim- 
ulation. This is what justifies the use in Section 4 of the invariant evenl{z) A 
oddl{x) A odd?{y) in showing that the strengthening of the specification Q with 
D is redundant. 



6 Liveness 

Compositional liveness reasoning is needed for showing progress properties for 
a component contingent on similar progress properties of other components. 
For example, the FIFO buffer can only guarantee that an output will always 
eventually be written if the environment can guarantee that a value in the out 
variable will always eventually be read. 

Liveness or progress assumptions have to be handled with some care in com- 
positional verification. For example, suppose a component P guarantees that 
output 2 ; is eventually 4 assuming the input x is eventually 3, and conversely, 
component Q guarantees an eventual output 3 on a: assuming that the input 2 ; is 
eventually 4. If the guarantee properties are used to discharge assumptions, then 
the composed system P||Q guarantees that 2 ; will eventually take on the value 
4 and that eventually x will take on the value 3. This would be unsound since 
the system actually need not obey either eventuality for a: or 2 ; and the individ- 
ual assume-guarantee properties would still be satisfied. The assume-guarantee 
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proof rule is carefully crafted to rule out this kind of circularity by ensuring in 
premise 2 that the assumptions have to be satisfied solely from the safety parts of 
the guarantee properties. Component liveness properties are instead expressed as 
implications in the property Ci of a component Pi , where the antecedent of the 
implication is the fairness constraint on the other component. This antecedent is 
of course easily discharged in the conjunction Ci A C 2 if C 2 includes the fairness 
condition of P 2 ■ 

To admit proofs of liveness properties in lazy composition, it will be necessary 
to extend the notion of a transition system to include fairness conditions. An 
asynchronous transition system with fairness is of the form (X'; /, N, F) where F 
is a fairness property that a valid computation must satisfy, i.e., |(/, A", X)] = 
|(/,A)] A F. It is desirable that the F component be used only to establish 
progress properties so that any safety property should follow from the system 
(X;J, A) without F. For this to be the case, the fairness condition F should 
be machine closed, i.e., any finite prefix a\n] in {I,N) should be extendable 
to a sequence a[n] o p in [(/, A, A)]. F is machine closed with respect to the 
transition system |(/,A)] iff |(/,A, F’)]'® = |(/,A)]. For example, if P is a 
transition system with only one state component x whose value is initially 0, 
and a next-state relation x' = x + 2y x' = x + 2>\/ x' = x, then the property 
eventually a: = 3 is not a machine-closed fairness condition since it excludes 
the computations in which x takes the value 2. 

Typical notions of fairness such as weak and strong fairness are machine 
closed with respect to the closed interpretation of a single transition system. 
An action r is said to be enabled in a state s, formally enabled{r){s) , iff there 
exists a state s' such that r{s,s') holds. A predicate p holds infinitely often on 
a sequence cr iff Vj : 3j ■ j > i Ap(cr(j)). Similarly, an action r holds infinitely 
often on a iS \fi : 3j : j > i A + 1)). A sequence a is said to be 

weakly fair with respect to an action r iff either -<enabled{r) holds infinitely 
often or r holds infinitely often on cr. A sequence a is said to be strongly fair 
with respect to action r iff r holds infinitely often on a when enabled{r) does. It 
can be shown that F is machine closed with respect to transition system (J, A) 
if P is a conjunction of weak and strong fairness assertions on actions ri , . . . , 
such that each r, is unblocked in (J, A),® i.e., 

[(/, A)] 1= invariant enabled{ri) D enabled{ri A A). 

When F is machine closed with respect to (/, A) , we say that the fair transition 
system (J, A, F) is machine closed. 

The situation is not so simple for transition systems whose computations 
include both component and environment transitions. The definition of compo- 
sition for fair asynchronous transition systems is 

(/i,A^ 1 ,^’i)||(/ 2 ,A 2 ,P 2 ) = (Jl A/ 2 ,Ai V A 2 ,Pi AP 2 ). 

® Abadi and Lamport [AL95] state this constraint differently by requiring each n to 
be a possible program action. This is equivalent since the fairness constraint ri can 
just as well taken to be A A r*. 
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The purpose of distributing the fairness conditions among the various compo- 
nents is to allow componentwise properties to be deduced using just the relevant 
global fairness conditions. In particular, machine closure is defined only with 
respect to a closed interpretation so that it is only required for specifications 
such as PHE or Pf x P^. Given the above definition of composition for fair 
asynchronous transition systems, all fairness conditions are global and apply to 
all components. 

In a blackbox style of component specification, implementability considera- 
tions require the component fairness condition to be machine closed with respect 
to the open interpretation, and also receptive, i.e., machine closed without rely- 
ing on cooperation from the environment. The receptiveness constraint on the 
fairness condition can exclude unconditional strong fairness constraints since a 
hostile environment can enable and disable a component action r without allow- 
ing the component a chance to execute r. Receptiveness is a sensible restriction 
when specifying an open component operating in an uncontrolled environment, 
but this is not the situation in compositional verification since the environment 
includes components whose specifications are an integral part of the design. 

Given the definition of composition extended with fairness conditions, the 
definitions of the operations ® and x remain unchanged from Section 3. The 
property preservation results claimed in Theorem 2 also holds in the presence of 
fairness conditions. 

There is however one serious problem with lazy composition in the presence 
of fairness. The co-imposition Pf x of machine-closed specifications Pi //Pi 
and P2//P2 is not necessarily machine closed. The co-imposition contains the 
conjunctions Pi A P2 , T2 A Pi , and Pi A P2 . The conjunction of two transitions 
systems {h, Ni, Fi) A {I2, N2, F2) is defined as (Ji A l2,Ni A A^2 , Pi A P2 ) . Since 
the actions of the conjoined transition system are specified by Ni A N2 which is 
more constrained than either Ni or N2 , the fairness condition Pi A P2 might not 
be machine closed in the resulting transition system. For example, let a:' = a: -I- 1 
be a possible action of Pi where Pi initializes a: to 0 and has no actions that 
decrement or reset a:. Then it can be proved of [Pf ] that if the increment action 
is weakly fair, then eventually x = 3. However, if P2 in P2 requires that x 
not be incremented, then the set of computations [Pf x Pj^] is empty since the 
only possible computations are those where the value of x is never changed and 
these are ruled out by the weak fairness requirement on the increment action. Of 
course, the property eventually a: = 3 is vacuously preserved in this case. Note 
that machine closure is violated in this example even if P2 contains no fairness 
conditions simply because P2 blocks a fair action of Pi . 

There is therefore a proof obligation that the system Pj x Pj^ be shown to 
be machine closed. In the special case of fairness conditions that only contain 
weak and strong fairness assertions, this proof obligation can be discharged by 
showing that each fair action is unblocked in the combined system. 

The notion of refinement used to eliminate environment constraints has to 
be extended to fair asynchronous transition systems. The goal is to show that 
1= [{Ip, Np, Fp)l D [(-fg, P q) 1- For this, we need to add one additional 
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premise to the refinement rule in Section 5. 

Theorem 5. 

[P] 1= invariant r 
IQ] 1= invariant p 

h p{s) A r{s,s') A Np{s, s') D Nq{s,s') 

\- Ip{s) D Iq{s) 

^1{Ip,Np,Fp)\dFq 

1= 1^1 3 [Q] 

The discharging of the new premise can require temporal reasoning. For the 
case of fairness conditions that are conjunctions of weak and strong fairness 
assertions, one can simply show that to any weakly fair action r, in Q, there is 
a weakly or strongly fair action r'- in P such that 

|(/p, A^p)] 1= invariant r'- D r, 

and 

|(/p, A^p)] 1= invariant enabled{ri) D enabled{r'^ ANp). 

Similarly, to each strongly fair action in Q, there must be a corresponding 
strongly fair action in P. 

Returning to the example of the FIFO buffer, if the actions read and write 
are weakly fair, and the unload action for the buffer environment is weakly fair, 
then in any fair computation of this transition system it is always the case that 
a state in which x = in ^ ± is eventually followed by (i.e., leads to, in the 
terminology of temporal logic) a state in which out = x. 

7 Discussion 

We have argued thus far that lazy composition is superior to the assume-guarantee 
method for compositional verification on the grounds that: 

1. Lazy composition employs proof methods that are already familiar whereas 
the assume-guarantee proof rule is quite formidable. 

2. Assume-guarantee methods require specifications that can anticipate future 
environment constraints. 

3. The assume-guarantee assumptions apply to both component and environ- 
ment and it is awkward to restrict these so that they only constrain the 
environment. 

4. Assume-guarantee specifications are more appropriate for writing blackbox 
characterizations of open components rather than for compositional verifica- 
tion where the point is to achieve a useful decomposition of the verification 
task. 

The advantage of lazy composition with respect to non-compositional, global 
reasoning as characterized by the Owicki-Gries approach [OG76] is that it com- 
bines the simplicity of global reasoning with the economy of using an abstract 
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characterization of the environment rather than the actual components in the 
environment. This abstract characterization can be used to prove a number of 
component properties. The actual components can then be shown to conform to 
this abstract characterization by means of a refinement proof. 

The Owicki-Gries approach is subsumed by lazy composition. If P is a 
component that is required to satisfy an invariant p, then we can take the 
environment E to be the transition system that merely preserves p, i.e., h 
Ne{s,s') a p{s) D p{s')- Then the refinement proof obligation reduces to a 
global demonstration that each component that is composed with P preserves 
the invariant. This is obviously the most general assumption one can make of an 
environment to P given that one wants to establish the invariant p, but it is not 
the optimal way to use lazy composition. The more appropriate use of lazy com- 
position is by describing the allowed or intended environment actions that are 
relevant to the state variables that are read or written by component P and that 
are needed to obtain useful properties of P. Thus lazy composition modularizes 
the global reasoning by identifying suitable abstractions for the environment of 
each component. 

7.1 Other Applications of Lazy Composition 

We have employed lazy composition in the verification of the safety properties 
of an A-process mutual exclusion algorithm [Sha97] and the alternating-bit 
communication protocol [BSW69]. These verifications have been carried out 
using PVS [ORS92]. The mutual exclusion algorithm has been verified using a 
combination of induction, abstraction, and model checking. The algorithm uses a 
Boolean turn variable for each process to arbitrate access to successive rounds of 
competition using 2-process mutual exclusion, for eventual access to the critical 
section. The environment to each process has to be constrained to not affect 
the value of this turn variable in an undesirable way, e.g., when a process has 
checked the turn value and has entered its critical section. 

The example of the alternating-bit protocol consists of a sender process, a 
receiver process, and the message and acknowledgement channels. The sender 
process constrains its environments merely to drop messages from the message 
channel, and the receiver process similarly constrains the value of the acknowl- 
edgement channel. With these constraints, it is possible to carry out a modular 
verification of the safety property of the alternating-bit protocol where all the 
invariants are proved solely by local reasoning in terms of the receiver or the 
sender process, possibly using previously proved global invariants. 



8 Conclusions 



We have presented the details of the paradigm of lazy compositional verification. 
This approach has several advantages over the assume-guarantee paradigm. We 
have formalized lazy composition verification within PVS [ORS92] and verified 
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several medium-scale examples with this approach. We do not yet have any con- 
clusive evidence that the method scales up to larger systems. Lazy composition 
can be adapted to models other than asynchronous transition systems by suit- 
ably altering the definitions of composition, conjunction, and refinement. Lazy 
composition does not need any new verification machinery since it builds on 
existing techniques for proving safety, liveness, and refinement properties. 
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Abstract. Assumption-Commitment paradigms have been investigated 
to derive tractable rules for composing specifications of concurrent sys- 
tems. We first give a short survey of several typical composition rules, 
and then we adopt the principle to reason about real time systems. An 
extension of Duration Calculus capable of describing infinite behaviours 
and instantaneous actions is proposed. In the calculus, verification tech- 
niques based on assumption-commitment are incorporated. 



1 Introduction 

Compositionality is an important property for verification and development of 
any sizeable systems [10]. In verification, it allows the likely formidable task of 
proving correctness of the whole system to be decomposed into more manageable 
pieces, and in development, it additionally supports early reasoning of designs 
before they are further developed and implemented. However, in the presence of 
concurrency, compositionality is difficult to achieve, due to interactions among 
processes. A compositional theory consists of a semantics and a set of rules for 
verification and development, with the rules justified in the semantics. In the lit- 
erature, several compositional semantics were formulated, usually in the context 
of some particular forms of concurrency mechanisms. Typically, the semantics 
of a system is given as a set of behaviours consisting of interleaving atomic ac- 
tions from different processes, and the semantics of a parallel composition can 
be viewed as some forms of intersections of the semantics of constituent compo- 
nents. 

Defining the semantics of parallel composition as set intersection leads to a 
simple rule of composition: 

Rule 1 



Pi sat Si 

Pi II P2 sai Si A S2 
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Usually the specification Si says that P, guarantees some properties under cer- 
tain conditions. Therefore, it is most natural to express the specification by 
logical implication, that is, as Ai C,, where Ai is called an assumption and 
Ci is called a commitment. Sometimes, assumptions and commitments of several 
components are mutually dependent, and then composing them to conclude a 
global property becomes a nontrivial task. For instance, it is easy to see that the 
following simple minded rule is unsound. 

An incorrect rnle (circular reasoning) 

A A Cl A 2 A A C 2 Ai 
Pi sat Ai Ci 

Pi \\ P 2 sat A Cl A C2 

In some cases, the dependency of components is acyclic, and then the following 
rule could be used 

Rule 2 



A A Cl A • • • A Ci—i Aj 
Pi s^ Aj Ci 

Pi 1 1 • • • 1 1 P„ sat A Cl A ■ ■ ■ A Cn 

In the general case, where the dependency of components is circular, assump- 
tions and commitments have to be composed in more involved ways. One method 
to avoid circular reasoning is to introduce a more sophisticated interpretation 
of an assumption-commitment specification than simple implication. This was 
first proposed by Misra and Chandy [18] for the verification of OCCAM-like com- 
munication based programs. The method was further developed by several other 
researchers, e.g., Pandya and Joseph [23]. Jones [12] proposed a similar method 
for shared variable concurrency, where the assumption-commitment pair can be 
interpreted in the same way. Jones’ method is further developed by Stirling [27], 
Stplen [28] and ourselves [31]. 

Underlying these methods is a ‘Non First Strike’ principle, where the as- 
sumption - commitment pair (A, C) is defined by a ‘spiral’ interpretation: 

If the environment satisfies assumption A until the current moment, then 
the component satisfies commitment C after the current step, that is, 
until the next moment. 

When a system is composed of several components, the environment of a com- 
ponent is formed by the rest of the system. If each component satisfies the 
individual specification, which says that the component can only make a wrong 
move after the environment has, it follows that none of the components can make 
a wrong move. 

This paper is organised as follows. First, we give an overview of the assump- 
tion - commitment paradigm by reviewing several typical rules, and these include 
the rules for verifying OCCAM-like and shared variable programs, as well as a rule 
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in a temporal setting. Next we investigate compositional verification of real time 
systems. For this, one needs a logic capable of expressing timing information. We 
propose an extension of Duration Calculus, which is an interval based temporal 
logic, and our extension is capable of describing both infinite behaviours and in- 
stantaneous actions. Verification techniques based on assumption-commitment 
are incorporated in the calculus. The paper is concluded with a short discussion. 

2 The Assumption— Commitment Paradigm 

2.1 Extensions of Hoare Logic 

Assumption-commitment rules were first studied as extensions of Hoare Logic. 
Among several variations we briefiy review a typical one, which can be consid- 
ered as roughly about total correctness. The specification is a tuple (p. A, C, q) 
where p and q are precondition and postcondition whereas A and C are assump- 
tion and commitment describing interactions between the environment and the 
component. To give a more precise interpretation of the correctness notion, we 
introduce some definitions. A behaviour is a finite or infinite sequence of states 
o = OqOi . . . ( t , . . ., where tr, is the {i + l)-th state of a. As usual, o \= p indicates 
that a satisfies predicate <p. Let a\k denote the prefix of a of length k. A process 
P satisfies a specification (p. A, C, g), denoted as P sai (p. A, C, q), is 
interpreted as follows: for any behaviour <t of P 

I) if (To \= p and for any fc, a\k \= A, then a\k+i \= C, 

II) if (To \= p and (T |= A, then 

• P performs only a finite amount of transitions, 

• if (T is a finite behaviour, then the final state satisfies q. 

OCCAM-like Programs 

The semantics of an OCCAM-like program is defined by observations over com- 
munication traces and local states. Let the variable space be extended with a 
variable h storing communications performed so far. The semantics can be de- 
fined as a set of behaviours of the extended states. In the specification, A and C 
are predicates over h. Projections of the trace onto channels a, a and b for ex- 
ample are denoted by ha and hat respectively. Precondition p and postcondition 
q are predicates over all the variables. For any sequence of states a, predicate <p 
which is either the assumption A or commitment C, define 

(T 1= <p iff (Tj 1= <p for any state (T, in a. 

Subsequently, condition I) above becomes 

if (To \= p and for any fc, any 0 < i < fc, (T, |= A, then for any 0 < i < k 
Oi 1= C. 



The following parallel composition rule was studied in [18,23]: 




568 Q. Xu and M. Swarup 

Rule 3 



P\ sat A Cl ^ A .2 p a ^ A J ^2 

P 2 sat {p, A 2 , C 2 , ( 72 ) A A C 2 Ai Cl A C 2 C 
Pi II P 2 sat {p, A, C, qi A ^ 2 ) 

Suppose process Pi has two input channels a and b, with channel a from the 
overall environment and channel b from P 2 . Assume (by A) that the overall 
environment either sends nothing or number 2 on channel a, and suppose process 
P 2 guarantees (by C 2 ) to send nothing or number 5 on channel b. Then the 
combined information process Pi may assume is the conjunction of the two: the 
only possible message on channel a is 2 and the only possible message on channel 
b is 5. 

Example: Consider the simple program Pi a1x]b\x‘^]c1y || P 2 b1z]c\z^. 
Assume the input value on channel a, if there is one, is 3. This is expressed by 
letting A be the predicate ha A< («i 3) >, where ^ denotes prefix relation. Then 
we know that the value passed to process P 2 is 9, and the value sent back to Pi 
is 729. The program satisfies the specification 

p : habc =<>^ Q ■ X = 2> A y = 729 A .2 = 9, 

A : ha («i3) >, C : hb :<< (&, 9) > A he :<< (c, 729) > 

and this can be proved by using the parallel composition rule. Indeed, Pi satisfies 

P- habc=<>, qi : X =3 Ay = 729, 

Ai : ha A< («i3) > A he :<< (c, 729) >, C'l : hb (b,9) > 

and P 2 satisfies 

P ■ habc =<>, 92 : Z = 9, 

A 2 : hb A< (^i9) >1 C 2 : he << (c, 729) > . 



Shared Variable Programs 

The standard way to give a compositional semantics to shared variable programs, 
as suggested first by Aczel (cited e.g., in [10]), is to define the semantics as a set of 
labelled state transition sequences, where the label records whether the transition 
is from the environment or from the component. This can be expressed in our 
setting by introducing a variable, say u, in the state, to record the transition 
agent. More precisely, in behaviour a, a transition (cr,, (Tj+i) is from component 
P if Oij^i{u) = P and from its environment if <Tj+i(M) ^ P. 

In the specification, predicates A and C are binary state predicates, with the 
convention that unprimed variables refer to the state before and primed variables 
to the state after the transition. In the literature, e.g. [28,31], the interpretation 
that a process P satisfies specification {p, A, C, q) was defined as: for any 
behaviour <t of P 
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F) if (To 1= p, and for any fc, any transition ((t,, (Tj+i) such that i < k and 
(Ji+i{u) 7 ^ P, ((Tj,(Tj+i) 1= A, then ((Tj,(Tj+i) |= C for any i < k such 

Oi+i{u) = P, 

IF) if (To \= p and any ((T,,(Tj+i) |= A where ai+i{u) ^ P, then 

• P performs only a finite amount of transitions, 

• if (T is a finite behaviour, then the final state satisfies q. 

Note although condition F) is not directly expressed in the spiral form, it is 
equivalent to the following 

if (To 1= p, and for any fc, any transition ((T,,(Tj+i) such that i < k and 
(T,+i(m) 7 ^ P, ((Tj, (Tj_|_i) 1= A, then ((T,,(Tj+i) |= C for any i < k + 1 such 
(Tj+i(M) = P. 

The parallel composition rule for shared variable programs is [12]: 

Rule 4 



Pi Mi. {p, Ai, Cl, qi) ^VCi 

P2 sat {p, ^2i C21 <12) A\/ C2 Ai Cl V C2 C 

Pi II P2 Mi {p, A, C, qi A ^2) 

The assumption Ai specifies the state changes that the component process Pi can 
tolerate from its environment. Both state changes by process P 2 (for which C 2 is 
guaranteed) as well as state changes of the overall environment (for which A is 
assumed) must be viewed as state changes by the environment of Pi . Since those 
state changes are interleaved in the execution model, the condition A\J C 2 ^ Ai 
is precisely the one needed to ensure that the assumption of process Pi is re- 
spected by its environment. Similar arguments also hold for process P 2 . Finally, 
if both Cl and C2 are guaranteed, then the condition Ci V C2 C ensures that 
C is guaranteed for the state changes by P1HP2. 



Example: a; := a; -|- 1 || a; := a; -|- 1. 

Verification of this program needs auxiliary variables. Let Pi be the program 
{x,zi := X + l,zi + 1), and P 2 the program {x,Z2 '■= a; -I- 1 , 2:2 + 1), then Pi 
satisfies 



p \ a; = 2:1 = 2:2 = 0 , 

A\ x' = z'l + z'2 t\ z'l = zi^ 
C : x' = z'l + z'2 A z'2 = Z2, 

q : X = Z\ Z 2 A Z\ = \ 

and P 2 satisfies 



p\ X = Zi = Z2 = 0 , 

Ai : x' = z'l + Z2 A Z2 = Z2, 
Cl : x' = z'l z'2 A z'l = z\., 
q : X = Zi + Z 2 A Z 2 = 1- 
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By the parallel composition rule, Pi \\ P 2 satisfies 

p: X = zi = Z 2 = 0 , 

A2 : x' = X A z[ = Zi A z'2 = Z2, 

C2 ■ true, 

q : X = Z\ Z2 A Z\ = \ A Z2 = 

This implies that a; = 2 is a valid postcondition. 



2.2 Assumption - Commitment in Temporal Logics 

To express more general properties, some forms of temporal logics should be used. 
Assumption-commitment paradigm has been studied by Pnueli [24], Barringer 
h Kuiper [4], and more recently by Abadi h Lamport [1-3]. In this section, we 
present a rule which is formulated in [9, 30], based mainly on the work by Abadi 
& Lamport. 

A temporal predicate </? is a safety predicate iff for any behaviour a: 

a p iff for any finite k such that 0 < fc < jcrj : crji, ]= p. 

where jcrj denotes the length of a. The assumption-commitment specification 
is of the form (A, < C^,C^ >) where A, and are temporal predicates. 
The assumption about the environment is described by A, which is restricted 
to be a safety predicate. The commitment is divided into a safety predicate 
and a remaining predicate C^. Liveness should be described by C^, but for the 
soundness of the composition rule it is not necessary to insist on to be a 
pure liveness predicate. The spiral interpretation is formally defined as 

(T \= ipi ^ ip 2 iff for any finite k such that 1 < fc < jcrj, 

if a\k-i \= (fi then a\u \= (f 2 

and 

\=P ^ {A, < C^,C^ >) 

iff 

for all (T of P : a \= {A ^ C^) A (A C^). 

Therefore, for any behaviour a of P, 

I”) if any prefix of a satisfies A, then holds after the transition 
extending that prefix, and 
II”) if (T satisfies A, then a also satisfies C^. 



init{A Ai A A2) 

A A Cf A Cf Ai A A2 
Cf A C’i ^ 

A A Cf A ^ 

Pi sat (Ai, <Cf,Cf>) 

Pi II P2 sgi (A, < C^,C^ >) 



Rule 5 




Compositional Reasoning Using the Assumption-Commitment Paradigm 571 



where init is defined as 

a \= init ip iff cro |= ip. 

It is shown in [9, 30] that previous two rules, developed independently for OCCAM- 
like and shared variable programs, can be considered as special cases of the 
present rule. 



3 Duration Calculus 

To verify real-time systems, one needs a logic capable of expressing timing infor- 
mation. Among the real-time temporal logics that have been developed, one class 
of the logics is point-based, usually as extensions of well-established temporal 
logics, whereas the second class, known as Duration Calculus [5,7], is interval- 
based and is an extension of Interval Temporal Logic (ITL) [19] to dense time 
domains. 



3.1 The Classical Duration Calculus 

The classical Duration Calculus [5], abbreviated as DC, was developed to rea- 
son about piece-wise continuous Boolean functions of time called states, which 
model the status of the system. In DC, time is represented by non-negative reals. 
Intervals and interpretations of state variables are defined as follows 

Intv {[c, d] G Time x Time | c < d} 

I G SVar Time {0,1}. 

Roughly speaking, a model is a pair (X, [c, d]). A Boolean state expression B 
is constructed from (Boolean) state variables with Boolean connectives and its 
duration in a model (X, [c, d]) is defined as 

|[ I B]\{X,[c,d])= l\B]\{X,t)dt 

where |[ B ]| (X, t) denotes the value of B at time t under state interpretation X. 
The length I of an interval is defined as 

/ 1 1 

and it is easy to prove 
|[/]|(X, [c,d]) = d<t^c. 

The modality ‘chop’ of ITL is defined as follows: for any formulae A and B 
{X,[c,d\)^A;B 

iff there exists m such that c < m < d and 
(X, [c, m]) \= A and (X, [m, d]) \= B. 
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The axiomatic system of DC includes that of ITL and the following axioms about 
duration. 

/0 = 0 
/1 = ^ 

/S>0 

JB,+JB2 = J{B, V B 2 ) + J{B, A B 2 ) 

(if B = x);(f B = y)) ^ (f B = x + y) 
f Bi = f B 2 , provided B^ B 2 holds in propositional logic. 

3.2 Duration Calculus with Weakly Monotonic Time and Infinite 
Intervals 

The model of DC with piece-wise continuous functions is not adequate for lower 
level description. At the lower level, a real-time control system for example, typ- 
ically contains primitives representing computation steps and switches between 
phases of dynamical activities. These discrete actions are usually considered in- 
stantaneous, and subsequently several such actions may happen at the same 
real time point governed possibly by a causal order. Such abstraction, proposed 
initially in the work on synchronous languages, provides substantial simplifica- 
tion in verification. To reason about discrete actions and their compositions, one 
needs a more involved logic. Koymans [16] suggested that a time point can be 
defined as a pair (r, n), with r denoting the real time and n the causal order. 
A variant of Duration Calculus, called Weakly Monotonic Duration Calculus, 
abbreviated as WDC, was formed by Pandya and Dang over such time struc- 
tures [22]. A similar logic was suggested by Liu, Ravn and Li [17]. 

Both DC and WDC are defined over finite intervals. However, real-time sys- 
tems often exhibit infinite behaviours. In [6], an extension of DC was studied by 
Zhou, Dang and Li, where infinite behaviours are described by their finite ap- 
proximations. This approach avoids direct interpretation of formulae over infinite 
intervals but has the disadvantage that properties are somewhat cumbersome to 
express. As an alternative formulation, we have included infinite intervals di- 
rectly in DC [29] following an approach by Moszkowski for ITL [21]. In this 
section a further extension is proposed where we include infinite intervals along 
both real and causal dimensions. The resulting logic is called Duration Calculus 
with Weakly Monotonic Time and Infinite Intervals, abbreviated as WDCI. 

A time domain of WDCI is a total order (T, <), where 

• T C (NonNegReal U {00}) x (Nat U {00}), with ( 0 , 0 ) G T 

• iff 

(ri 7^ 00 A fi < f2 A ni < 712 ) V (ri < f2 A ni 7^ 00 A ni < 712 ) 

• for any t ^ T, there exists t' G T, such that t and t' ^ t. 

The last condition indicates that a time domain is maximal, in the sense that 
adding any other time point will cause the set to be no longer a total order. 
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By the definition, exactly one of (r, oo), (oo,n) and (oo, oo) is in a time domain 
and it is the maximal element. For any t = {r,n), we write t = oo iff n = oo or 
r = 00 . An interval over T is a pair of time points [ti, < 2 ] of T, where ti ^ 00 
and ti < < 2 - A model <t is a tuple ((T, <),X, [ti, 12 ])-, where 

• X: SVar T ^ Values 

• [ti, < 2 ] is an interval over T- 

A model will often be simply written as (T,X, [ti, < 2 ]) with the order omitted. We 
define WDCI terms and formulae as follows. The durations of a state expression 
along real time and casual order are two terms denoted respectively by f S and 
fS. Let 

|[ S ]| (T, X, r) I [ 

|[ S ]| (T, X, n) I [ 



if {n|(r, n) G T} is singleton 
otherwise 

if (r, n), (r, n -I- 1) G T 
otherwise. 



The first definition is well-formed because if {n|(r, n) G T} is singleton, then 
obviously rzi = rz 2 for any (r, ni) G T and (r, 7 x 2 ) G T- The second definition is 
also well-formed because for any (ri,n) G T, (7’2,n) G T, (7’i,n -I- 1) G T and 
(r 2 ,n + 1) G T, it is easy to prove ri = f 2 . Define 

|[ /5']|(T,X,[(ri,ni),(r2,n2)]) [S]\{T,I,r)dr 

|[/5]|(r,X,[(ri,ni),(r2,n2)]) |[ 5 1(T,X, n). 

The lengths of an interval along real time and casual order are respectively 




It is easy to prove that their values in a model (T,X, [(ri,ni), (r 2 ,n 2 )]) are 

[(ri,m),(r2,n2)]) = f2 <t^ri 
|[fc]|(T,X, [(ri,ni), (r 2 ,n 2 )]) = U 2 <t^ni. 

For a state expression 5, b.5 and e.5 are two terms, denoting the values of S 
at the beginning and the end of the interval: 

|[b.5']|(T,X, [(n,ni),(r2,n2)]) = |[ 5 ]|(X, n, m) 

|[e.5']|(T,X, [(ri,ni), (r 2 ,n 2 )]) = |[ 5 ]|(X, ra, 7 x 2 ). 

Primitive formulae of WDCI are constructed from terms using comparison oper- 
ators in arithmetics, such as <, = etc, and can be combined by Boolean connec- 
tives and modality operators. The chop modality is defined as follows: for any 
formulae A and B 



(T,X, [(ri,7Zi),(r2,7Z2)]) \=A]B 
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iff there exists (r,n) G T, such that (r,n) ^ oo, (T,X, [(ri,ni), (r,n)]) |= A and 
(T,I,l(r,n),(r2,n2)]) j= B, or {r2,ri2) = oo and (T,X, [(n,ni), (r2,n2)]) 1 = A. 
Formula A is valid, 



1 = ^ iff for any model <t, a \= A. 

We next introduce some derived modalities 

<0^ A; true 
[T]A ^O^A 

y. A def A 

OA = true; A; true 

nA =*' 



A model satisfies <i>A and OA if respectively there is a prefix interval and a 
sub-interval that satisfies A, and a model satisfies [T]A and DA if respectively 
all prefix intervals and all sub-intervals satisfy A. In this paper, we assume 
modalities bound closer that Boolean operators. Let 



fin = I < oo A k < oo 

JT- def , 

fin = K < 00 

point / = 0 A fc = 0. 



They characterise intervals which respectively are finite, finite on causal order 
and points. For a Boolean expression S, define 

[5] > 0 V fc > 0); (point A -b.5); (/ > 0 V fc > 0)). 

This denotes that S holds everywhere inside the interval. Let 

[51 [5] A b.5 

[51 [5] A e.5 

[5] [5] A b.5 A e.5. 

These specify that 5 holds everywhere inside the interval and in addition that 
5 holds at the beginning, the end, and both the beginning and the end of the 
interval respectively. Let 

dint / = 0 A fc = 1 

cint / > 0 A fc = 0 

unit = dint V cint. 



Intervals that satisfy cint and dint are called respectively continuous and discrete, 
and collectively unit. 

The usual theorems of ITL and DC are still valid. For example 



(A;B);C ^ A; {B;C) 

{I = mi + m2) {I = mi); {I = m2)- 
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In addition, below is an induction theorem based on the observation that any 
finite interval can be chopped into a series of continuous intervals and discrete 
intervals. This will be used when we prove the soundness of the assumption- 
commitment rule. 

Theorem If |= J?(point) and |= R{X) R{X V X; unit), then |= J?(fin). 

WDCI and in particular its axiomatisation are currently under further investi- 
gation. 

4 Compositional Verification of Real-time Systems 

4.1 Semantics 

We consider several commands, which form the basis of a real-time language 
with shared variables 

P ::= await B ^ x := e \ delay r \ Pi,P2 \ if B then Pi else P2 fi 

S::=Pi \\P 2 II ••• 

As by usual convention, x denotes a vector of variables, and e denotes a matching 
vector of expressions. The guarded assignment await B ^ x := e\s blocked until 
the Boolean condition B becomes true and the assignment is executed taking 
zero real time and one unit of causal time. Real time will only pass with all the 
variables unchanged when there are no instantaneous actions enabled. 

We give the semantics in WDCI, that is, we map a program to a WDCI for- 
mula describing the behaviours of the program. Let idle, □(dint e. u 7^ i), 

where u is the variable recording the index of the process that has contributed 
the last discrete transition. The formula says that over the interval the i-th 
component does not contribute any discrete transitions. The semantics of the 
statements is as follows, where we assume the assignment, the delay and the 
conditional statements are from the i-th component: 

|[ await B ^ X := e]\ = (□(cint f”'-®!) A idle,); 

(dint A B{h.x) A e.x = b.e A e.u = i) 

|[ delay r | idle, Al <r A (fin I = r) 

[Pi;P 2 ]\ = [PiUP 2 ]\ 

|[ if B then Pi else P2 fi | (/ = 0 A idle,); (dint A e.x = b.S A e.u = i) 

;((B(b.S)A|[Pi]|)V(-B(b.S)A|[P2|)) 

|[Pi||P2 ||---||R„]| ='|[Ri]|a|[P2]|a...a|[p„]|. 

The sub-formula before the chop in the semantics of the assignment describes 
the waiting period. In this period, apparently no discrete transitions are from the 
component, and for any time point over a continuous sub-interval the Boolean 
guard does not hold. The reason for this is clear, because otherwise the assign- 
ment is enabled and one discrete transition should be taken causing the interval 
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to be non-continuous. For the semantics of the delay statement, it is obvious that 
there are no discrete transitions from the component and the real-time duration 
is not greater than r. The reason that we cannot ensure the elapsed real-time is 
always exactly r is because in our model other components may execute infinite 
number of discrete transitions before the real time passes - in this case, it is 
sometimes figuratively said that time has been stopped. 

The semantics contains two additional formulae: 

□ (cint (b.S = e.S)) 

which says that no variables are changed over any continuous intervals, and for 
a closed system Pi \\ P2 || • • • || Pn 

30 < i < n. □(dint {e.u = i)) 

which says that any discrete transition is from one of the components. 

For technical convenience, we assume each Pj in Pi || P2 || • • • || T’n is infinite. 
This can be guaranteed by appending an infinite delay statement in the end, but 
we shall omit such statements in the examples. A command which is notably 
missing is the iteration statement. The semantics of the iteration statement can 
be defined using fixed-points, but this involves some technical details which can 
be found in [25] where we formalise the semantics of a large subset of Verilog, a 
hardware description language widely used in industry. 



4.2 Simple Composition 

We consider the verification of a segment of Fisher’s mutual exclusion algorithm 
using the simple composition rule. 

Example 





P2 : 


delay ai; 


delay 02; 


X := 1 ; 


X := 2 ; 


delay 61; 


delay 62; 


await a; = 1; 


await X = 


CSi 


CS2 



The system has two processes and the algorithm ensures that they will not be 
in their critical sections CSi and CS2 at the same time by appropriate timing 
parameters. Overloading the notation a little, let CSi also represent a Boolean 
state variable whose value is 1 exactly when P, is in its critical section. Mutual 
exclusion can be expressed as A C52)l- 

Intuitively, the correctness of the algorithm can be understood as follows. If 
P2 ensures it does not change the value of x after bi real time units, then it 
follows that the value of a; is 1 when Pi is in CSi, since the critical section can 
only be entered when a; = 1 and this happens after bi time units. Similarly, if 
Pi ensures it does not change the value of x after 62 real time units, then the 
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value of a; is 2 when P2 is in CS2- Therefore, if bi > 02 and 62 > at then Pi and 
P2 will not be in critical sections simultaneously, for otherwise x would be both 
1 and 2 at the same time and this is impossible. 

Let formula keep(P2i *) denote that over the interval, no transitions from P2 
change x. This could be defined as n(dint A (b.a; ^ e.x) => {e.u ^ ^’2))- Process 
Pi satisfies (^1 => Ci) A C[ where 

Ai : h.-iCSi A ((/ = 61); keep(P2i *)) keep(P2i CSi), 

C\: [C 5 i^a; = ll, 

€[ : {{I = ai); keep(Pi, a;)) A keep(Pi, C52)- 

Similarly, process P2 satisfies {A2 ^ C2) A C'2 where 

A2 : b.-'C52 A ((/ = 62); keep(Pi,a;)) A keep(Pi, C52), 

C 2 : [C52^a. = 2], 

C'2 : {{I = 02); keep(P2,*)) A keep(P2, C'Si). 

Since bi > 02 and 62 > ai, it is easy to prove that h.^CS2 A C[ ^2 and 
b.-iC 5 i A C'2 ^1, therefore it follows from the simple composition rule that 

Pi II P2 sat (b.^CSi A b.^C'5'2) ^ (Cl A C2) 

and it is easy to see that 

C1AC2 ^ h(C 5 i AC52)1- 



4.3 Spiral Reasoning 

In this section, we formulate the spiral reasoning rule in WDCI. First, we redefine 
several concepts: 

• A formula A is a safety property iff A A) is valid; 

• A^ B'^= |T](fin A (A; unit) ^ B); 

• A program P satisfies a specification (A, < C^,C^ >), denoted by P sai 
(A, < C^, C^ >), if |[ P I (A -A C^) A (A ^ C^). 

Rnle 6 



point A A Ai A A2 
A A Cf A C| Ai A A2 
Cf A c! ^ C^ 

A A Cf A Cf ^ C^ 

Pi ^ (Ai, <Cf,Cf>) 

Pi II P2 sat (A, < C^,C^ >) 



where A, A, are safety properties. 
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We prove the soundness of the rule in WDCI. Let 'P' denote the premises of 

the rule, namely 

=(point A ^ A A2) 

A(^ A Cf A C| A A2) 

A(Cf A C’i ^ C^) 

A(yl A Cf A ^ C^) 

A(Pi sat (Ai, <Cf,Cf>). 

Lemma 1 . DlP A (^1 Cf) A {A2 Cf) A ^ =J> Q](fin ^1 A A2). 

Proof. We prove by induction. Let 

R(X) Dip A (^1 -A cf ) A (A2 -a cf ) a ^ ^ □(fin A X ^ A A2). 

Base step: 

□>P A (^1 cf ) A {A2 cf ) A ^ is a safety} 

=>D!p A □(fin A) {point fin and WDCI} 

=>D!p A □(point A) {!P and WDCI} 

=^^(point =^» A A2). 

Induction step: 

□■P A (^1 ^ Cf ) A {A2 ^ Cf ) A A 

A 0 fin A X dll A A2) A fin A (X V X; unit) 

=^(^1 A A2) V (Dip A (^1 ^ Cf ) A {A2 ^ Cf ) A A 

A 0 fin A X ^1 A A2) A fin A (X; unit)) 

=^(^1 A A2) V (Dip A (^1 ^ Cf ) A {A2 ^ Cf ) 

Afin A ((^1 A A2); unit)) 

^{Ai A A2) V (D-P A yl A Cf A Cf ) 

=^d.i A A2. 

Therefore 

□>P A (^1 ^ Cf ) A {A2 ^ Cf ) A ^ A □(fin A X ^1 A ^2 
=>(fin A (X V X; unit) (^1 A ^2)) 

and it follows from 

□(□>P A {Ai ^ Cf ) A {A2 -A Cf ) A yl A □(fin A X ^ yli A A2)) 

<S^(Dip A (^1 ^ Cf ) A {A2 ^ Cf ) A ^ A □(fin A X A ^2)) 

that 

(□>P A (Ai -A Cf ) A (A2 -A Cf ) A yl A □(fin A X ^ yli A .12)) 

=>^(fin A (X V X; unit) ^ (^1 A ^2)). 

Subsequently 

(□>P A (Ai -A Cf ) A (A2 -A Cf ) AA^ □(fin A X ^ yli A A2)) 

=>(Dip A (^1 ^ Cf ) A {A2 ^ Cf ) A A 

=> □(fin A (X V X; unit) (^1 A ^2))) 



{WDCI} 

{WDCI} 

{WDCI} 

{WDCI} 
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that is, R{X) R{X V X; unit). Therefore, by the induction theorem, we have 

□'P' A (^1 ^ Cf ) A {A2 ^ Cf ) A ^ [T](fin ^ Ai A A2). 

□ 

Lemma 2 . -P h {A^ -A Cf) A {A2 -A C|) ^ {A ^ C^). 

Proof. 

□■P A (^1 Cl) A {A2 C2) A fin A {A; unit) {Lemma 1 and WDCI} 

^□>P A (^1 -A Cf ) A (^2 ^ C|) A fin A ((^1 A A2); unit) {WDCI} 

^□ipACfACf {>P and WDCI} 

Therefore 

□>P A (yli -A Cf ) A {A2 -A C^) ^ |T|(fin A (. 4 ; unit) ^ C^). 

□ 

Lemma 3 . 



-P h (^1 -A Cf ) A (^1 ^ Cf ) A {A2 -A Cf ) A {A2 ^ Cf ) ^ ^ C^). 

Proof. 

□>P A (yli -A cf ) A (yli ^ Cf ) 

A(^2 ^ cf ) A {A2 cf ) A A {Lemma 1 } 

^□>P A {Ai ^ Cf ) A (yl2 ^ Cf ) A yl A □(fin ^ vli A .12) {WDCI} 

=>nip A (^1 Cf ) A (^2 Cf ) A ^ 

A □(fin ^1) A □(fin A2) {Ai is safety} 

^□>P A (^1 ^ Cf ) A (A 2 ^Cf)AAAAiAA 2 {WDCI} 

^ Dip A ^ A Cf A Cf {WDCI} 



Theorem >P h |[ Pi || P2 | ^ (.4 -A C^) A (.4 ^ C^). 

Proof. 

[Pi II -P 2 1 ^ |[ Pi 1 A |[ P 2 I {Semantics} 

-Ph|[Pi]|A|[P2]| 

^ (^1 -A Cf ) A (^1 ^ Cf ) A {A2 -A Cf ) A {A2 ^ Cf ) {WDCI} 
'P' A |[ Pi II P2 I ^ (.4 -A C^) A (.4 ^ {Lemmata 2 , 3 }. 




580 Q. Xu and M. Swarup 

Example 



Pi : 

do 

\f X ^ 0 then a; := 1 
else skip fi; 

delay 2 
od 



P2 : 

do 

if a; 7^ 0 then x := 2 
else skip fi; 

delay 3 
od 



If the initial value of x is 0, then the Boolean test in each process always yields 
the value false and subsequently the statement skip (which can be defined as 
a; := a;) is selected unless the other process has changed a; to a non-zero value. 
Since no process can change the value first, x remains to be 0 all the time. 
Formally, we can prove process Pi satisfies 

Ai : [a; = 0] V [a; = 0]; (dint A (e.a; = 0 V e.u ^ 2)), 

Cf : [a; = 0] V [a; = 0]; (dint A (e.a; = 0 V e.n ^ 1)) 



and P2 satisfies 



A 2 '. [a; = 0] V [a; = 0]; (dint A (e.a; = 0 V e.n 7^ 1)), 

Cf : [a; = 0] V [a; = 0]; (dint A (e.a; = 0 V e.n 7^ 2)). 

Since 

Cf A 

[a; = 0] V ( [a; = 0] ; (dint A (e.a; = 0 V e.n 7^ 1)) 

A [a; = 0]; (dint A (e.a; = 0 V e.n 7^ 2))) 

[a; = 0] V [a; = 0]; (dint A (e.a; = 0 V {e.u 7^ 1 A e.u 7^ 2)) 

[a; = 0] V [a; = 0]; (dint A e.a; = 0) 

= 01 - 



It follows from the composition rule that Pi \\ P 2 satisfies 



A : b.a; = 0, 
C^: [a. =01. 



5 Conclusion 

In this paper, we have discussed the assumption-commitment paradigm for 
achieving compositionality. We have surveyed several rules which have been de- 
veloped in different settings and argue that they are based on the same principle. 
There has been much related work. Being a topic of extensive research, composi- 
tionality has been studied by many researchers, e.g., by Hooman [11], Zwiers [32] 
and Jonsson [14]. In a closer context, recent work using assumption-commitment 
paradigm includes those by Jones [13] in object-orientation, by Collette [8] on 
UNITY, by Jonsson and Tsay [15] on linear-time temporal logic. 

By now, the principle of composing assumption-commitment specifications 
has been well understood. Consequently, it can be applied readily to different 
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formalisms, and we have done so in this paper for verification of real-time systems 
using Duration Calculus. 

There exists also work which is related but from somewhat different perspec- 
tives. Moszkowski studied what kind of formulae can be used as assumptions 
and commitments in ITL [20]. Shankar [26] proposes a new approach, called 
lazy composition, but it seems that the mathematical theory of lazy composi- 
tion is the same as that of assumption-commitment, and his contribution can 
probably be best viewed as methodological study of when and how to discharge 
mutually dependent proof obligations. 
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Abstract. This paper introduces left and right neighbourhoods as prim- 
itive interval modalities to define other unary and binary modalities of 
intervals in a first order logic with interval length. A complete first order 
logic for the neighbourhood modalities is presented. 

It is demonstrated how the logic can support formal specification and 
verification of liveness and fairness, and also of various notions of real 
analysis. 



1 Introduction 

Interval temporal logics, based on ITL [6], have shown to be useful for the 
specification and verification of safety properties of real-time systems. In these 
logics one can succinctly express properties like: “for all intervals of a given size, 
(f> must hold” , and “if (f> holds for an interval, then there is a subinterval where 
if holds”, and so on. However, these logics cannot express more abstract liveness 
properties like “eventually there is an interval where <j) holds” and will hold 
infinitely often in the future” . 

The reason for this limitation is that the basic modality used in ITL, called 
chop is a contracting modality, in the sense that the truth value of a formula 
on an interval [b, e] only depends on subintervals of [b, e]: 

holds on [b, e] 

iff there exists m € [b, e] such that (f> holds on [b, m] and if holds on [to, e] . 






b 




m 




e 






y 




\ 




4> 









The formulas of ITL are constructed from atomic formulas using the con- 
nectives of first order logic and the chop modality. It is clear that ITL formulas 



W.-P. de Roever, H. Langmaack, and A. Pnueli (Eds.): COMPOS’97, LNCS 1536, pp. 584-608, 1998. 
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cannot express abstract liveness properties as the truth value of a formula does 
not depend on intervals outside the interval under consideration^ . 

When logics based on ITL, e.g. [23], are used to specify Hybrid Systems, 
a limitation is that notions from real analysis, such as limits, continuity, and 
differentiability, which are definable through the notion neighbourhood cannot 
be formalized in the ITL based logics. E.g. the definition of limit at a point must 
refer to neighbourhood properties of the point, i.e. properties over super-intervals 
of the point. To cope with this, an informal mathematical theory of real analysis 
is assumed in [23] and in other languages for specifying hybrid systems as well, 
e.g. in Hybrid Statecharts [12], Hybrid Automata [2] and TLA+ [11]. This is fine 
for verification using paper and pencil; but for proofs of formulas involving the 
notion neighbourhood, it is impossible to get support from theorem provers for 
ITL logics. 

In order to improve the expressiveness of ITL, people have introduced infi- 
nite intervals [13,22] and expanding modalities [18,5, 14, 16]. However, all those 
modalities are a little complicated for different reasons. For example, [18] estab- 
lishes a complete propositional calculus for three binary interval modalities. In 
addition to the chop (designated as C in [18]), it introduces two modalities T 
and D, which are expanding in the sense that the truth value of formulas (pT-tp 
and (pDtp on an interval [b,e] depends on intervals “outside” [b,e]: 



(pJip holds on [b, e] 

iff there exists c > e such that (f> holds on [e, c] and xp holds on [6, c] . 
















b 




e 




c 






So T refers to an expansion of a given interval in future time. Symmetrically, 
D refers to an expansion in past time. 

(pDtp holds on [b, e] 

iff there exists a <b such that (p holds on [a, b] and xp holds on [a, e] . 



a 



4 > 

r 

b 



<pDip 



e 



^ This holds when the truth value of atomic formulas formulas does not depend on 
“outside intervals” . 
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Abstract liveness can be specified using these modalities [16] and there is a 
complete axiomatization of a propositional modal logic with the three modalities 
C,T, and D. Some of the axioms and rules for this logic are, however, quite 
complicated. 

Expanding modalities are not necessarily binary, and in [1] there is a lists of 
thirteen possible unary interval modalities. Furthermore, in [7] it is shown that 
six of them are basic in the sense that the remaining unary modalities can be 
derived from the basic ones in propositional logic. Two of the basic modalities 
are contracting, and four are expanding. Confined to propositional logic, one 
cannot derive the chop from the thirteen unary modalities [17]. However, this 
confinement becomes unnecessary, when one uses interval logic to formulate real 
analysis, since real analysis is traditionally a first order theory. 

In this paper we present a first order logic for intervals, which has two simple 
expanding modalities, designated (reads: “for some left neighbourhood”) 
and <>r<j) (reads: “for some right neighbourhood”): 



holds on [6, e] iff there exists <5 > 0 such that <j) holds on \b b], and 
Or(f> holds on [b, e] iff there exists <5 > 0 such that (f> holds on [e, e + S] . 

With Oi (Or) one can reach left (right) neighbourhoods of the beginning 
(ending) point of an interval: 




where a = b 



where c = e + S 



When the interval is a point interval (i.e. b = e in the definition), they 
can become the modalities for the conventional left and right neighbourhoods 
of point, by assuming that the length of the neighbourhoods are non-zero. We 
therefore call Oi (Or) as left (right) neighbourhood modality. They are expanding 
modalities, and very similar to (A) and (A) of the six basic modalities of [7]. 

Summary of paper: Syntax and semantics are, in Section 2, given to a first or- 
der interval logic based on the two modalities Oi and Or- This logic is called 
Neighbourhood Logie (abbreviated to NL). The adequacy of NL is established in 
Section 3, in the sense that the six basic unary modalities of [7] and the three 
binary modalities of [17] are expressible in NL. In Section 4 we give a complete 
axiomatization of NL and some sample proofs. This axiomatization is very sim- 
ilar to the one for ITL in [4]. (We refer to [3] for the proof of the completeness.) 
This proof system for NL is much simpler than the proof system for the modal- 
ities C,T, and D given in [17]. In Section 5 we show that Duration Calculus [21] 
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can be established as an extension of NL. Furthermore, it is illustrated how ab- 
stract liveness and fairness properties and properties of delay insensitive circuits 
can be specified. Concepts from real analysis are specified in Section 6 and the 
last section contains a discussion. 

2 Syntax and Semantics of NL 

2.1 Syntax 

The formulas of NL are constructed from the following sets of symbols: 

GVar : An infinite set of global variables x,y,z,. . . . These variables are called 
global since their meaning is independent of time and time intervals. 

TVar : An infinite set of temporal variables £,v,vi,V 2 ,vs , where £ is a special 
symbol denoting the interval length. The meaning of a temporal variable will 
be a real valued interval function. 

FSymb : An infinite set of global funetion symbols equipped with 

arities n,m > 0. If /" has arity n = 0 then /" is called a eonstant, denoting 
a real number, such as 0 and 1. The meaning of a global function symbol /", 
n > 0, will be an n-ary function on real numbers, which will be independent 
of time intervals. 

RSymb : An infinite set of global relation symbols G",iL™,... equipped with 
arities n, m > 0. If G" has arity n = 0, then G" is called a eonstant, denoting 
one of the Boolean value tt or ff. The meaning of a global relation symbol 
G", n > 0, will be an n-ary Boolean valued function on real numbers, which 
will be independent of time intervals. 

PLetter : An infinite set of temporal propositional letters X,Y,.... The mean- 
ing of each temporal propositional letter will be a Boolean valued interval 
function. 

The set of terms, 6,6i € Terms, is defined by the abstract syntax: 

0 ::= X \ £ \ V \ /”(6»i, . . . ,0„) 

The set of formulas, 4>,ip & Formulas, is defined by the abstract syntax: 

4> ::= X \ G”(6»i, . . . , 6»„) | -.^ | ^ V | (^x)4> \ Oi4> \ Or4> 

We also use tp,(f>i,il)i, and {pi to denote formulas. 

We use standard notation for constants, e.g. 0 and 1, and for function and 
relation symbols of real arithmetic, e.g. + and <. 



2.2 Semantics 

The meaning of terms and formulas are explained in this section. To do so, we 
must explain the meaning of an interval, the meaning of function and relation 
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symbols, and the meaning of global and temporal variables. Time and time 
intervals are defined by: 



Time = K 

Intv = {[b,e] I 6, e e Time and b < e} 

We consider functions and relations of real arithmetic, so we assume that each 
n-ary function symbol /" is associated with a function /" € IR" IR, and each 
n-ary relation symbol G" is associated with a function G" € IR" {tt,ff}. In 
particular tt and ff are associated with true and false, respectively. The meaning 
of function symbols, such as 0, -I- and is the standard one for the real numbers, 
so is the meaning of the relation symbols =, > etc. 

The meaning of global variables is given by a value assignment, which is a 
function associating a real number with each global variable: 

V G GVar IR . 

Let Val be the set of all value assignments. 

The meaning of temporal variables and temporal propositional letters, i.e. 
the “interval dependent symbols” , is given by an interpretation: 

/ TVar \ / Intv IR 

J G U ^ U 

\ P Letter s J y Intv {tt,ff} 

where J{v){\b,e]) G IR and J{X){\b,e]) G {tt,ff} 

associating a real valued interval function with each temporal variable and a 
Boolean valued interval function with each temporal propositional letter. We 
will use the following abbreviations: 

vj = J{v) and Xj = J{X) . 

The semanties of a term 9 in an interpretation yL is a function 
J\9\ G Val X Intv IR 

defined inductively on the structure of terms by: 

Jlx\{V,[b,e\) =V{x) 

Jiq(V,[b,e]) =e^b 

Jlv}{V,[b,e\) =vj{[b,e\) 

Jine,,... ,9n)] (V,[6,e]) =/"(ci,... ,c„) 

where c, = J\9i\ (V, [6, e]), for 1 < i < n. 

The semanties of a formula <f in an interpretation is & function 



^ Intv {tt,ff} 
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defined inductively on the structure of formulas below, where the following ab- 
breviations will be used: 

J, V, [6, e] 1= ^ = J{4>1 (V, [6, e]) = tt 
J,V,[h,e]V=4> = Jm (V,[6,e]) =ff 

The definition of is by induction on the structure of formulas: 

1) J,V,[6,e] |=XiffX^([6,e])=tt 

2) J, V, [6, e] 1= , On) iff G”( [6, e]), . . . , [6, e])) = tt 

3) J,V,[6,e] !=-(/. iff J,V,[6,e] 

4) J, V, [b, e]\= (pV Ip iS J, V, [h, e] |= (f> or J, V, [b, e]\= ip 

5) J, V, [b, e] 1= (3x)4> iff J, V, [b, e] \= 4> 

for some value assignment V which is a;-equi valent to V, 
i.e. V{y) = V'{y) for any global variable y ^ x. 

6) J, V, \b, e] 1= Oi<i> iff there exists <5 > 0: J', V, [b <^S, b] \= ip 

7) J, V, [b, e] 1= Or(p iff there exists S >0: J, V, [e, e + <5] \= (p 

A formula <p is valid, written |= (p, iff J',V,[b,e] \= (p, for any interpretation 
J, value assignment V, and interval [b, e\. Furthermore, a formula ip is satisfiable 
iff J,V, [b,e] \= Ip for some interpretation J, value assignment V, and interval 
[b,e]. 

Abbreviations and conventions. We shall use conventional abbreviations 
for the connectives A, and of propositional logic and the conventional 
abbreviation for the quantifier V of predicate logic. Furthermore, the following 
abbreviations will be used: 

<yp(p = <>r^(p reads: “for some left neighbourhood of end point: and 

O^ip = Oi^r'4’ reads: “for some right neighbourhood of beginning point: ip” . 

The modalities Of and Of. are called the converses of the modalities Oi and 
Or, respectively. 

The following semantic calculations show the meaning of Of: 

J,V,[b,e] \=Of<p 
iSJ,V,[b,e] ^OrOiiP 
iff there exists S' > 0: J, V, [e, e + <5'] |= Oi<p 
iff there exists S >0: J, V, [e e] \= (p . 
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A similar calculation for will establish that 

J, V, [b, e] \= iff for some S >0: J, V, [b, 6 + <5] |= ^ . 



o^4> 

A 

b a e 

I ... J * where a = b + 5 

The above figures show the cases where e > b and 6 + <5 < e. However, it 
is also possible that e < b and 6 + <5 > e. 

When -I, {3x),{\fx),Oi,Or,Oi and occur in formulas they have higher 
precedence than the binary connectives, e.g. the formula 

^ {{{'^x){^ip)) A if) 

can be written as: 

Ofif) {{\fx)-iip A ip) . 

Furthermore, the following abbreviations for quantifiers will be used: 

3x > 0.(j) = {3x){x > 9 A (f>) similar for other relations >,<,... 

\fx > 9.(j) = {\fx){x > 9 => (f>) similar for other relations >,<,... 

\/xi,X 2 ,. ■■ ,Xn-4>= i^xi)(\/x 2 ) ' ' ' (Va:„)^ 

3xi,X 2,. ■ ■ ,Xn-(t> = {3 xi){3x 2) ' ' ' {3Xn)4’ 

3 Adequacy of Neighbourhood Modalities 

In this section, we show that the six basic unary interval modalities of [7] and 
the three binary interval modalities (i.e. T and D) of [18] can be defined in 
NL. 



The six basic modalities of [7] is denoted by: 



Modality 


Intervals, reachable from “current interval”: 


(A) 


non-point right neighbourhoods 


(A) 


non-point left neighbourhoods 


(B) 


strict prefix intervals 


(B) 


intervals, which have current interval as a strict prefix 


(E) 


strict suffix intervals 


(E) 


intervals, which have current interval as a strict suffix 
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The meaning of these six unary modalities and the three binary modalities 
T and D is given by: 

1. J,V,\b,e] 1= (A)^ iff there exists a > e : J,V,[e,a] \= 4> 

2. J, V, [b, e] \= {A.)<p iff there exists a <b : J,V,[a,b] \= <p 

3. J, V, [b, e] 1= (B)^ iff there exists a such that b < a < e and J, V, [b, a] |= <j) 

4. J, V, [6, e] 1= (B)^ iff there exists a > e : J,V,[b,a]\= <p 

5. J, V, [b, e] 1= (E)^ iff there exists a such that b < a < e and J, V, [a, e] \= (f> 

6. J, V, [b, e] 1= (E)^ iff there exists a <b : J,V, [a, e] |= <p 

7. J,V,[b,e] \=(f>-4> 

iff there exists m € [b, e] : J, V, [b, m] \= (f> and J, V, [m, e] \= tp 

8. J, V, [b, e] 1= (f)Tip iff there exists a > e : J ,V, [e, a] |= <p and J, V, [b, a] \= tp 

9. J, V, [b, e] 1= 4>Dip iff there exists a <b : J,V,[a,b] \= <p and J, V, [a, e]\= ip 

Theorem 1. (Adequacy.) The above nine modalities can be expressed in NL. 

Proof. The following equivalences establish the theorem. Each of them is easily 
checked using the semantic definitions. 

1 . {A)4>^ Ori(£>0)A4>) 

where {£ > 0) guarantees that the right expansion is a non-point interval. 

2. {A)xP ^ Oi{{(.>Q) AxP) 

where {£ > 0) guarantees that the left expansion is a non-point interval. 

3. (B)^ 3x.{{l = x) A < x) A cp)) 

where defines an interval that has the same beginning point as the original 

interval, and {£ < x) stipulates that the defined interval is a strict subinterval 
of the original one. 

4. (B)^ 3x.{{l = x) A O^iil > x) A cp)) 

It is similar to (B)^, except that {£ > x) stipulates that the defined interval 
is a strict super-interval of the original one. 

5. (E)^ 3x.{{l = x)AOf{{l<x)A(p)) 

The definition is similar to (B)^, except that Of here defines an interval that 
has the same ending point as the original interval. 

6. (E)^ 3x.{{l = x)AOf{{l>x)A(p)) 

It is similar to (E)^, except that {£ > x) stipulates that the defined interval 
is a strict super-interval of the original one. 

7. ip^'ip 3x,y.{{l = X -i- y) A Of.{{l = x) A (p A Or{{l = y) A-tp))) 

where {£ = x y) stipulates that the two consecutive right expansions of 
lengths X and y exactly cover the original interval. 

8. (pTip 3x,y.{{l = x) A Or{{l = y) A (p A Of{{l = X -i- y) Atp))) 

where {£ = x -\-y) guarantees that the left expansion, Of, exactly covers the 
original interval and its right expansion, 

9. (pD'tp ^ 3x,y.{{l = x) A Oi{{l = y) A (p A Of.{{l = X -i- y) Atp))) 

where {£ = x y) guarantees that the right expansion of OA exactly covers 
the original interval and its left expansion, Oi. 
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4 Proof System 

In this section we present a proof system for NL. There is a completeness result 
[3] for this proof systems with respect to a class of interval models which contains 
the real intervals. In the last subsection we discuss this result. 

In the following axiom and rule schemas, O is a parameter, which can be 
instantiated by either Oi or O^. As usual when instantiating a schema, the in- 
stantiation must be consistent for all occurrences of O in the schema. Moreover, 
we adopt the abbreviations: 

^ ^ f if O = ^ 

\Ol,iiO = Or 

□ A -lO-. 

□ A O 

A O O 

To formulate the axioms and inference rules, we need the standard notion of 
free (global) variables. Moreover, a term is called rigid if it does not contain any 
temporal variable and a formula is called modality free if neither Oi nor occur 
in the formula. A formula is called rigid if it is modality free, and contains only 
rigid terms and no temporal propositional letter. 

The axiom schemas of NL are: 

Rigid formulas are not connected to intervals: 

A1 0(f> (j), provided (f> is rigid 

Interval length is non-negative: 

A2 £>0 

Neighbourhoods can be of arbitrary lengths: 

A3 (a; > 0) ^ 0{£ = x) 

Neighbourhood modalities distribute over disjunction and existential quan- 
tification: 

o{(f>v 4>) ^ 0(f> V 04> 

03x.(f> => 3x.O(f> 

Neighbourhood is determined by its length: 

A5 0{{£ = x)A<f)) D{{£ = x) ^ <f)) 

Left (right) neighbourhoods of an interval always start at the same point: 



A6 O O (f> O O (f> 
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Left (right) neighbourhood of the ending (beginning) point of an interval can 
be the same interval, if they have the same length: 

A7 (£ = x) ^ = 

Two consecutive left (right) expansions can be replaced by a single left (right) 
expansion, if the length of the expansion is the sum of the two formers: 

. ((a; > 0) A (y > 0)) 

^ {0{{l = x) AO{{l = y) AO(f>)) ^ 0{{l = x + y)A0(f>)) 

The rule schemas of NL are: 



M If ^ ^ then 0<p Oi/j 

N If ^ then D<f) 

MP If (f> and (f> => 'ip then ^ 

G If ^ then (\fx)<f) 



(Monotonicity) 
(Necessity) 
(Modus Ponens) 
(Generalization) 



The Monotonicity and Necessity rules are taken from modal logic and the 
Modus Ponens and Generalization rules are taken from first order predicate logic. 

The proof system also contains axioms of first order predicate logic with 
equality as well as first order theory of real numbers. Any axiomatic basis can 
be chosen, and we will use “PL” when we refer to axioms, theorems and inference 
rules of the first order predicate logic and the first order theory of real numbers. 
Special care must, however, be taken when universally quantified formulas are 
instantiated and when an existential quantifier is introduced. 

To formulate axiom schemas for quantification we define: A term 9 is called 
free for a; in ^ if a; does not occur freely in <p within a scope of 3y or \/y, where 
y is any variable occurring in 6. 

The following axiom schemas are sound: 

yx.(f>{x) (f>{9) / jf either 9 is free for x in <p(x) and 9 is rigid \ 

^ 3a;. ^(a;) \ or 0 is free for x in <f){x) and <f){x) is modality free.y 

A proof in NL of ^ is a finite sequence of formulas (f>i ■ ■ ■ (f>n, where is 
and each is either an instance of one of the above axiom schemas or obtained 
by applying one of the above inference rules to previous members of the sequence. 
We write h ^ to denote that there exists a proof of (f> and call (f> a theorem of 
NL. 

A deduetion of 4> from a set of formulas F (called assumptions) is a finite 
sequence of formulas (f>i • • • 4>m where 4>n is 4>^ &nd each is either a member 
of r, an instance of one of the above axiom schemas or obtained by applying 
one of the above inference rules to previous members of the sequence. We write 
r \- (f> to denote that there exists a deduction of (f> from F. 

Properties about Neighbourhood Logic are another kind of theorems also 
called meta-theorems. One such example is the soundness of the proof system: 
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Theorem 2. (Soundness.) 



if \- 4> then \= 4> 

Proof. A proof of the soundness theorem can be given by proving that each 
axiom is sound and that each inference rule preserves soundness. In [19], NL is 
encoded in PVS and the soundness of NL is checked by PVS. 

4.1 Theorems of NL 

We list and give proofs of a set of theorems of NL. These theorems are used 
in the completeness proof of NL and they can also help us to understand the 
calculus. 

We will denote theorems and deductions in NL by Tl, T2, etc., to distinguish 
them from meta-theorems. 

The first deduction to be derived is the monotonicity of □: 

Tl ^ if \- a)) ^ Dip 
The following deduction establishes Tl: 

1. 4> => Ip assumption 

2. ^ip —up l.,PL 

3. 'O'— lip 'O'— up 2.,M 

4. —I'O'—up 'O'— lip 3., PL 

where true A (0 = 0) 
false where false A -.true 

The following is a proof for T2a: 

1. (0 > 0) ^ 0(£ = 0) A3 

2.O{£ = 0) PL(0 > 0),1.,MP 

3. Otrue M 

The second part, T2b, is an instance of Al. 

The following theorems express together with A4 that O commutes with 
disjunction and existential quantification: 

a. {o<pyOtp) o{<py tp) 

b. 3x.O(p 03x.(p 



T2 



a. Otrue 

b. Ofalse 



1. (p => {(pv tp) 


PL 


2. 0(p 0{(pVip) 


l.,M 


2).ip => (<p\/ %p) 


PL 


4. <>ip <>{(p V Ip) 


3.,M 


5.{0(pVOtp) ^ 0{(pVtp)2.,4.,PL 



Proof for T3a: 




Proof for T36: 
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1. ^ 3x.if> PL 

2. 04> ^ 03x.4> l.,M 

3. Va;.(0^ 03x.4>) 2.,G 

4. yx.{0(f> 03x.(f>) {3x.O(f> 03x.(f>) PL, x is not free in 03x.(f> 

5.3x.O<f) 03x.<f) 3.,4.,MP 



We will use the following convention for presenting proof: 



4>i 

(f>2 



1. 4>i =i> 4>2 

is an abbreviation for the proof: 2. ^2 => (f >3 

3. ^1 <f)3 l.,2.,PL 



and 



4>i 1 - 4>i ^ 4>2 

(f >2 is an abbreviation for the proof: 2. (f >2 (f >3 

^ <f)3 3. ^1 <f)3 l.,2.,PL 

This generalizes to longer chains: and (f>i ^ ^ (f>n. 

a. 0(f> 0(f> 

T4 b. (Off) A Dip) 0{tpAip) 
c. {D(p A Dip) □(^A'^) 

We only present proofs for the first two parts. Proof for T4a: 

Dp 

=> '0'(p\/ -<p) T2a.,PL 
Op V O—ip A4 
^ op Def.D, PL 



Proof for T46: 



Op A Dp 

=> 0((p Ap)\/ (p A-<p)) A Dp PL, M 

=^{0{pAp) V 0{pA^p)) A Dp A4 
=^ {0{pAp) A DP) V (O^p A DV:) PL, M 
=^0(PAp) PL, Def.D 

a. p <fp 

T5 b. O^OP ^ op 

c. (Op A O^p) ^ 0(p A O p) 
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Proof for T5a, where we assume that x is not free in (f>: 

1. {£ = x) Aif) 

^ <y={{£ = x)A<f)) A7 
^ PL, M 

2 . 4 > 

=> 3x.(i = x) A(j) PL 

3x.{H = X A (f>) PL, X not free in (f> 

3. 4) ^ <y=4) l.,2.,PL(3_) 

Proof for T56. The direction <^= follows from T5a and M. The direction is 
established by: 

1 . ^^0(f> 

=>n^O(f> A6 = 0^0) 

=> □ □ A6, T1 

2. ^^0(f> A ^0(f> 

=> □ □ 04> A 1., T5a, PL 

0{n 0(f,A O ^0(f>) T46(0<= = O O) 

^ {0(f> A ^0(f>) T4b, M 

^ false PL, T26, M 

3. ^ 0(f> 2., PL 

Proof for T5c. The direction <^= follows from PL and M. The direction is 
established by: 

Off) A O^ip 
Off) A □ O ^ A6, PL 
=^0{ff)A O ip) T46 

a. O O ff) O U ff> 

T6 h. O^aff) ^ Off) 

c. {Off) A O O Ip) 0{fpA □ Ip) 

The proof for these theorems are similar to those for T5. 

T7 {0{{£ = x)Afp) AO{{£ = x) Alp)) ^ 0{{£ = x) A fp A ip) 

Proof for T7: 

0{{£ = x) Afp) A 0{{£ = x) Alp) 

=> a{{£ = x)^fp) A a{{£ = x)^ip) A 0{£ = x) A5, M, PL 
z^a{{£ = x)^{fpAip))AO{£ = x) T4c, PL 

z^O{{£ = x)A{{£ = x)^{fpAip))) T46, PL 

^o({i = x) AfpAip) PL, M 
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If (a; > 0) A (y > 0) then the following formulas are theorems^: 

a. (£ = x) => {0{{£ = y) A ^<t>) ^ <y^{{£ = X + y) A 0<f>)) 

b. (£ = x) => {0{{£ = y) A<i>) ^ <y^{{£ = x + y)A 0^{{£ = y) A <f)))) 

c. 0{{£ = a;) A 0{{£ = y) A <f>)) ^ 0((£ = x + y)A 0^{{£ = y) A <f>)) 
T8 

d. (v>x^^\ ^ 

0((£ = y ^x) A 0(f>) 

e-{y>x )^{ ^ = y)A(f>))^\ 

\0{{£ = y^x)AO%{£ = y)A(f>))) 

Proof for T8a: 

£ = X 

^ 0{{£ = y)A 0(f>) ^ <f{{£ = x)A 0{{£ = y)A 04>)) A7 
^ 0{{£ = y)A 0<f)) ^ <f{{£ = x + y)AO<f)) A8, M, PL 

Proof for T86: 

£ = X 

^ 0{{£ = y)A<f))^ 0{{£ = y)A 0^{{£ = y) A <t>)) A7, M 

^ 0{{£ = y)A<t>)^ <f{{£ = x + y)A 0^{{£ = y) A <t>)) T8a, PL 

We give a proof for d, leaving the proofs for c and e for the reader. 

Proof for T8d: Assume y > x >0: 

1. 0^{{£ = x)A 0^((£ = y)A C><f>)) 

0'^((£ = x) A 0((£ = y ^x) A Ofj))) T8a(y = x + (y <t^a;)), M 

2. 0^{{£ = x)A0{{£ = y^x)A0<f))) 

^ 0^{£ = x)A 0^0{{£ = y ^x) A 0<t>) M, PL 
^ 0{{£ = y ^x) A 0(f>) T5b, PL 

3. true O (£ = x) PL, A3 

4. Otrue O O (£ = a;) 3., M 

5.0^{£ = x) 4.,T2a, MP 

6. 0((£ = y <^x) A 0<f>)) 

^ 0^{£ = x)A 0^0{{£ = y ^x) A 0<f))) 5., T5a, PL 
^ 0(0 (£ = x)A <f{{£ = y ^x) A 0<f))) T5c(0<=0 = O O O = 00<=) 

^ O O ((£ = a;) A 0{{£ = y ^x) A 0<f))) T5c, M 

7. 0^{{£ = x)A 0^((£ = y)A O^)) 0{{£ = y^x) A 0<t>) l.,2.,6.,PL 

Here, by ‘If 4> then i/) is a theorem’, we mean: \- 4> tj). 



2 
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a. (1 = 0) ^ {(f> ^ 0{{l = 0) A (f>)) 
h. 0(f> ^ 0{{l = 0) AO(f>) 

Proof for T9a: 



£ = 0 

^ 0{{£ = 0)A<f))^ <f{{£ = 0)A = 0) A <f))) T86(0 + 0 = 0) 

^ 0{{£ = 0) A = 0)A<f)) A7 

'^{{£ = 0) A <f)) <f) A7 

Proof for T96, where we assume that y is not free in (j). 

0{{£ = 0) A 0<f)) 

^ olli = 0) A 0{3y > 0.{£ = y) A <f>)) PL,A2,M 

^3y> 0.O{{£ = 0) A 0{{£ = y) A <f))) A4, PL, T36 

^3y> 0.O{{£ = 0 + y)A = y) A <t>)) T8c, PL 

<S+ > 0.O((£ = y) A A7(0 + y = y), PL, M 

<S+ PL, M, A4, A2, T36 

A deduction theorem can be proved for NL similar to the deduction theorem 
for Interval Temporal Logic [8] . The following abbreviation is useful to formulate 
the theorem: 



A reads: “for all intervals: 

Theorem 3. (Deduction.) 

If a deduction D,(p \- tjj, involves no application of the generalization rule G 
of which the quantified variable is free in (f>, then D h ip 

Proof. See [15]. 

Furthermore, many interesting theorems of NL are proved in [15], e.g. that A1 
is true for formulas <f which only contain rigid terms, but may not be modality 
free. 

4.2 A completeness result for NL 

So far, real numbers (K) have been used as the domain of time and values. It 
is well-known that it is impossible to have a complete axiomatization for the 
real numbers. One can develop different first order theories for the real numbers, 
but none of them can become complete. Hence no one can develop a consistent 
calculus which can prove any valid formula of NL, when real numbers are taken as 
time and value domain. However, given a first order theory of the real numbers, 
denoted A, we can investigate a completeness of the calculus with respect to 
a notion of A-validity. Roughly speaking, a formula is A-valid, if it is valid in 
models with time and value domains that satisfy A. 

A first order theory A is called a first order theory of the real numbers, if A 
includes the following axioms: 
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D1 Axioms for =: 

1. X = X 

2. (x = y) (y = x) 

3. ((x = y)A(y = z)) (x = z) 

4. ((xi = yi) A ... A (x„ = y„)) (/”(a;i, = /(yi, 

where /" is an n-ary function symbol. 

5. ((xi = yi) A ... A (x„ = y„)) a;„) G”(yi , y„)) 

where G" is an n-ary relation symbol. 

D2 Axioms for -F: 

1. (a; -F 0) = X 

2. (x + y) = (y + x) 

3. (x + (y + z)) = ((x + y) + z) 

4. ((x + y) = (x + z)) =F (y = z) 

D3 Axioms for >: 

1 . 0 > 0 

2. ((a; > 0) A (y > 0)) =F ((a; -F y) > 0) 

3- (x ^y) ^ 32: > O.a; = (y + z) 

4. -'(a; >y) ^ (y > x) 

where (y > x) = ((y > a;) A -<(y = x)) 

D4 Axiom for 

((a; ^y) = z) ^ (x = (y + z)) 

The above axioms constitute a minimal first order theory that can guarantee 
the completeness of the calculus with respect to ^-validity. However, they are 
far from the ‘best’ set of axioms to characterize the real numbers. For example, 
a singleton of 0 will satisfy all the above axioms. One may like to introduce 
multiplication and division, or to have additional axioms and rules that capture 
more properties of the real numbers, such as infinitude and density: 

D5 Axioms for infinitude: 



3y.(y > x) 



D6 Axioms for density: 



(x > y) =F 3z.({x > z) A(z > y)). 

Given a first order theory A of the real numbers, a set D is called an ^-set, 
if the function symbols and the relation symbols are defined on D and satisfy A. 
When an ^-set D is chosen as a time and value domain of NL, we denote the 
set of time intervals of D by IntVD, a value assignment from global variables to 
ro by Vd, and an interpretation with respect to D by where 

IntVD = {[6, e]|(6, e e ro) A (6 < e)}. 



Vd : GVar D, 
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and 



J-o{v) : (IntVD 1®), for e TVar and 
JoiyX) : (IntVD {tt,ff}), for X € PLetter 

A model Mji, is a pair consisting of an ^-set D and an interpretation Jo. 
The truth value of a formula <j) given a model Mo, a value assignment Vo, 
and an interval [b,e] € IntVD is similar to the semantic definitions on Page 6. 
We write Mo, Vo, [b, e] |=d ( f > to denote that ( f > is true for the given model, value 
assignment, and interval. 

A formula (f> is A- valid (written |=_4 (f>) iff (f> is true for every ^-model Mo, 
value assignment Vo, and interval [b, e] € IntVD- Furthermore, <p is A-satisfiable iff 
(f> is true for some ^-model Mo, value assignment Vo, and interval [b, e] € IntVD- 
The proof system is sound and complete with respect to the class of ^-models: 

Theorem 4. (Soundness.) If\~4> then |=^ )> 

Theorem 5. (Completeness.) If |=^ )> then h )> 

A proof of the soundness theorem can be given by proving that each axiom is 
sound and that each inference rule preserves soundness in the sense that it gives 
a sound formula when applied to sound formulas. A proof of the completeness 
theorem can be developed along the line proposed in [4]. One can first prove a 
completeness of the calculus with respect to a kind of Kripke models, and then 
map the interval models to the Kripke models. The proof details are presented 
in [3]. 

5 Duration Calculus Based on NL 

The NL based Duration Calculus (DC) can be established as an extension of 
NL in the same way as it was established as an extension of ITL [21,8]. The 
induction rules of DC must, however, be weakened when DC is based on NL 
[15]. 

5.1 Syntax 

The idea is to give temporal variables v € TVar a structure: 

fs 

where S is called a state expression and is generated from a set SVar of state 
variables P,Q, R, . . . , according to the following abstract syntax: 

5 ::= 0 1 1 I P 1 -5i 1 5i V52 

We will use the same abbreviations for propositional connectives in state 
expressions as introduced for NL formulas. 
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Remark: The propositional connectives -■ and V occur both in state expressions 
and in formulas but, as we shall see below, with different semantics. This does 
not give problems as state expressions always occur in the context of /. 



5.2 Semantics 



When we generate temporal variables from state variables, the semantics of 
temporal variables must be derived from the semantics of the state variables. 
To this end we introduce an interpretation for state variables (and propositional 
letters) as a function: 

/ SVar \ /Time {0,1} 

X G I U I — y I U 
\ P Letter s J y Intv |tt,ff} 

where L(P) G Time {0,1} and X(W) G Intv {tt,ff}, and each function L(P) 
has at most a finite number of discontinuity points in any interval. Hence, L{P) 
is integrable in any interval. 

The semantics of a state expression S, given an interpretation X, is a function: 

X|5] G Time {0, 1} 



defined inductively on the structure of state expressions by: 



XlOl(t) = 0 

X[ll(t) = 1 

Ilp](t) =I{p){t) 

Xl(-5)](t) = 1^X151 (t) 



0 and X[52l(t) = 0 



We shall use the abbreviation Si = X|5] . We see by this semantics that each 
function Si has at most a finite number of discontinuity points in any interval 
and is thus integrable in any interval. 

The semantics of temporal variables, which now have the form /5, is given 
by a function X|/5] G Intv K defined by: 

mSl[b,e] = Si{t)dt 



This function can be used to induce an interpretation Ji for temporal vari- 
ables V of the form and temporal propositional letters from X: 



Ji{X) = T{X) for any temporal propositional letter X 
Ji{v) = X|J5] when v is /5 

The semantics of a duration calculus formula (j), given an interpretation X to 
state variables, is a function: 



X|^] G Val X Intv {tt,ff} 
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for which we use the abbreviations: 



V, [b, e] \=dc (f> = (V, [b, e]) = tt 

1, V, [b, e] (t> = 2:^ (V, [b, ej) = ff 

The function can be defined as follows: 



1, V, [b, e] \=dc (f> iff Ji, V, [b, e] \= (f> 

The notions of satisfiability and validity of DC formulas are defined as for 
NL formulas. 



5.3 Proof system 

All axioms and inference rules of NL are adopted as axioms and inference rules of 
DC. Furthermore, axioms and inference rules are added since temporal variables 
now have a structure. The original axioms for durations are still sound when DC 
is based on NL: 



(DC-Al) 


/0 = 0 






(DC-A2) 


!l=l 






(DC-A3) 


fs>o 






(DC-A4) 


fSi+fS2 


= /(5iV52)+/(5i 


AS 2 ) 


(DC-A5) 


((/5 = xy 


"(/5 = y)) ^ (fs = 


(x + y)) 


(DC-A6) 




!, provided 5i S 2 


holds in propositional logic 



We must add inference rules to formalize the finite variability of state expres- 
sions^ . Let W be a temporal propositional letter and ^ be a formula in which X 
does not occur. Let S be any state expression and let H(X) denote the formula 
□„(W ^ <j>). 

The two induction rules are: 



IRl 



If H{\}) and H{X) => A 

then (f> 



and 



IR2 



If H{\}) and H{X)^{H{f^S}-X)AH{fS}-X)) 
then (f> 



where H{tp) denote the formula obtained from H{X) by replacing X with ^ and 



n =^ = o 

[51 = (/5 = £) A (£ > 0) 

® It turns out that the original induction rules for DC are not sound when DC is based 
on NL. A counter-example is given in [15]. 
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With these axioms and rules for Duration Calculus, a deduction theorem for 
DC and a relative completeness result for DC with respect to valid formulas 
of NL can be proved [15]. These results extend earlier results obtained for DC 
based on ITL [8] . 

5.4 Specification of limits, liveness, and fairness 

Limit: The following formula is true when the limit oi JS over an infinite interval 
does not exist: 



Vx.OriJS > x) 

and the following formula is true when the limit of over an infinite interval 
is V. 

Ve > 0.3T.DX(^ > T) ^ (1/5 ^v\ < e)) . 

Fairness: Suppose two processes are competing for a resource and 5,(t) = 1 
denotes that process i,i = 1, 2, has access to the resource at time t. Assume that 
5i and S 2 are mutually exclusive (i.e. -i(5i A 52 )). 

The two processes should have the same access time for the resource in the 
limit: 

Ve > 0.3T.D/(£ > T) ^ (|/5i < e)) . 

Liveness: The following formula specifies that the state 5 occurs infinitely often: 

inf{S) = • 

For example, an oscillator for 5 is specified by: 

inf{S) A inf{^S) . 

Strong fairness: If Si denotes a request for a resource and S 2 denotes response 
from the resource, then strong fairness requires that if there are infinitely often 
requests then there must be responses infinitely often also. This is formalized 
by: 



inf (Si) inf{S 2 ) ■ 

Weak fairness: The following formula express that a state 5 stabilizes to 5 = 1 
from some time on: 



stabilize{S) = V |"5]) . 

Weak fairness requires that if request for a resource stabilizes, then there will 
be response from the resource infinitely often: 



stabilize (Si) => inf(S 2 ) ■ 
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5.5 Example: Delay insensitive circnits 

A delay insensitive circuit is a circuit consisting of components having an un- 
known delay. The delay may vary with time and place, for example because it 
is data or temperature dependent. 

In [9] there is a DC specification of a delay insensitive circuit and a proof 
of its correctness. This specification contains a free (global) variable for each 
component denoting a positive delay. The presence of all these variables causes 
that the specification and also its correctness proof are rather clumsy. In this 
example we sketch how aspects of delay insensitive circuits can be succinctly 
modeled using NL without use of (global) variables. 

We consider circuits constructed from components where a component C has 
a list of input ports x = x\, . . . ,Xm and an output port y, and it performs a 
function / : {0,1}™ {0,1}. However, there is an unknown delay from the 

input ports to the output port. 

The input and output ports are modeled by state variables: 

Xi,y : Time {0, 1} . 

If ^ = 2:1, . . . , 2/ is a sequence of state expressions and a € {0, 1}*, then z = a 
denotes the state expression: 2( A • • • A 2,' where 2' = 2, if a, = 1, and 2' = -12, 
if Oi = 0. 

There are two requirements for a component C : 

1. If X = i then either y becomes f{i) or x changes. This requirement is ex- 
pressed as: 

Fi=Oj^Jx=i] 0 ^ 0 ^(\y = f(i)Jw -^fx = i})) 

2. If y becomes f{i), then y persists unless x changes. There are two ways to 

interpret this. 

(a) y persists for some time, no matter whether x changes: 

F2,e. = Oa{\x = i Ay = fil)} = /(*)!) 

(b) y may change as soon as x changes: 

F2,b = ^a{{\x = ij A<f^\y = f{i)}) ^ \y = f{i)}) 

An important property of the component is that the output stabilizes if the 
input stabilizes, and it is possible to prove that: 

(Fi A F2) => ( stabilize (x = i) => stabilize (y = f(i))) 
where F2 is either F2,a or F2,b- 

Suppose a circuit N of such components is constructed in a way where output 
ports can be connected with input ports, but output ports are not connected 
with each other. The circuit will have a sequence of input ports X = Xi, . . . ,X^, 
i.e. the input ports of the components which receive input from the environment. 
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Furthermore, there will be a sequence of output ports Y = Yi , . . . , 1/ , which send 
output to the environment. 

Suppose the circuit should perform a function / : {0, 1}* {0, 1}* in the 

sense that if the input stabilizes to in € {0, 1}* then the output must eventually 
stabilize to f{in). This can be specified as: 

stabiUze(X = in) => stabilize(Y = f(in)) 

and it is a proof obligation for the correctness of the circuit that this formula is 
implied by the conjunction of the formulas for the components. 

6 Real Analysis 

In this section, we express in NL notions of limits, continuity, differentiation etc. 
in a way very close to conventional mathematics of real analysis. 

For every state S, we introduce a temporal propositional letter denoted: at(5) 
with the meaning that S holds (i.e. 5 = 1) at a time i.e.: 

T, V, [b, e] \= at(5) iff 6 = e and Sx{b) = 1 

The additional axioms and rule are: 

— Either 5 or holds at a time: 

at(-'S') {{I = 0) A -iat(S')) 

— (5i V S 2 ) holds at a time, iff either 5i or S 2 holds: 

at(5i V S 2 ) ^ (at(5i) V at(52)) 



— Monotonicity: 

If 5i => 82 , then at(5i) at ( 52 ) 

For expressing real analysis, we introduce an abbreviation, in(^), which spec- 
ifies that 4 > holds at every point (interval) inside a non-point interval. 

in(^) = (£ > 0) A -((£ > A(£ = 0))^(£ > 0)) 

We will abbreviate in(at(5)) to in(5), which means that 5 = 1 everywhere inside 
a non-point interval. 

Limits: Let a : K K. 

The right limit of a at a point is v if for any e > 0 there exists a right 
neighbourhood of the point such that for any t in the neighbourhood: \a{t)<^\ < 
e. < e is either true or false for t € IR, and is therefore regarded as a state 

variable"^. 

* Formally speaking, a belongs to another additional function symbol set of NL. — 
and < are operators over the additional symbol set, and are defined as point-wise 
generalization of the standard ones. 
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This definition from real analysis can be expressed directly in NL as: 

Lmt~^ (a,v) = (£ = 0) A Ve > O.Orin(|a: < e) 

The value of the right limit of a at a point, denoted a~^ , can be defined by 
the description operator, t, of first order predicate logic: 

a~^ = Ly.Lmt~^ (a,y) 

Similarly, the left limit of a at a point is v and the value of the left limit at 
a point can be expressed as: 

Lmt~ {a, u) = (£ = 0) A Ve > 0.O/in(|a: < e) 

a~ = ty.Lmt~ (a,y) 

The following formula expresses that the limit of a is u, when t approaches 
oo: 



Ve > 0.3T > > T ^ {{£ = Tyin{\a ^v\ < e))) 

Continuity: A function a is continuous at a point, if its left limit is equal to its 
right limit, and equals its value at the point. This is expressed in NL as: 

Cnt{a) = = a~ = Ly.&i{a = y)) 

Thus, the continuity of a inside an interval is expressed in NL as: in(C'nt(a:)). 



Derivatives: The following formulas express that the left (right) derivative of a 
at a point is v: 

Dft~ {a, v) = 3y.{at{a = y) A Ve > 0.3<5 > O.D/(((5 > £ > 0) < e)) 

Dft~^(a, v) = 3y.(at(a: = y) A Ve > 0.3<5 > O.Dr(((5 > ^ > 0) | < e)) 

where at, (ag) stands for Ly.Oiat{a = y) {Ly.Or&t{a = y)), which defines the 
value of a at the beginning (ending) point of an arbitrary given interval. 

We can express that v is the derivative of a at a point and the derivative of 

Q clS! 



Dft{a,v) = Dft (a,v) A Dft~^ (a,v) 
a = iy.Dft{a,y) 

Thus, in(a: = (3) expresses that the differential equation a = P holds within 
an interval, where /3 : K K. 




7 Discussions 
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Some research of DC ([24, 10, 20]) has already applied the notion of left and right 
neighbourhoods for describing instant actions in ITL. An instant state transition 
from 5i to S 2 can be modeled as a neighbourhood property of the transition, 
such that 5i holds in a left neighbourhood of the transition and S 2 holds in 
a right neighbourhood of it. They use the notation \ 5i and Z' S 2 to express 
those neighbourhood properties, and the conjunction (\5iA Z' S 2 ) to specify 
the transition. <>i and <>r can be regarded as a generalization of \ and Z', since 
\ 5i can be defined as and Z' S 2 as ^^[52], where 5i and S 2 are 

considered state variables. 

In order to develop formal technique for designing hybrid systems, this paper 
tries to axiomatize a mathematical theory of real analysis in the framework of 
interval temporal logic. Such an axiomatization requests a long term effort, and 
this paper presents a very tentative attempt in this direction. 
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Abstract. Partial order based techniqnes are incorporated in a inter- 
leaving semantics, based on coding partial order information in linear 
time temporal logic. An example of development is given. 



1 Introduction and Overview 



Compositional program development means that the syntactic structure of a 
program guides the development. Such guidance need not be limited to classical 
top-down or bottom-up development, but applies also to transformational de- 
velopment. Compositionality here requires that a program transformation on P 
is carried out by identifying some syntactic subprogram Si of P and replacing 
it by some other subprogram 52. In this paper we combine transformation of 
concurrent programs with the classical Owicki-Gries style techniques for prov- 
ing the correctness of concurrent programs. This transformational method is 
particularly attractive for the design of concurrent and distributed programs. 
Unlike the sequential case, algorithms for concurrent and distributed programs 
usually take the system architecture into account, and are therefore dependent 
on aspects as the number of parallel processing units available, the structure and 
performance of the network connecting those processing units. This leads to a 
wide variety of algorithms, each one tailored for some particular architecture, 
for solving one and the same task. The transformational approach often allows 
one to start off with a single common algorithm, and then to transform it in 
various ways, so as to conform to the requirements of particular architectures. 
Informally we often make a distinction between the “physical structure” and 
the “logical structure” of programs. The physical structure refers to a program 
Sd that has a syntactic structure that is reasonably close to the actual physical 
architecture that will be used to execute the program. For instance, one expects 
a simple and straightforward mapping from the parallel processes of 5u to the 
actual processing units available in a given system architecture. We assume here 
that the physical structure can be described as a collection of distributed and 
communicating network nodes Pi, each of which executes a number of sequen- 
tial phases Schematically, this can be described as a program of the 

following form: 



Sd 



def 



[(^ 1 , 1 ; Pi, 2 



; Pl,m) II • • • II (Pn,l ; Pi, 2 



0 -] 



* The author thanks Mannes Poel for collaboration and fruitful discussions 



W.-P. de Roever, H. Langmaack, and A. Pnueli (Eds.): COMPOS’97, LNCS 1536, pp. 609-631, 1998. 
Springer-Verlag Berlin Heidelberg 1998 




610 



J. Zwiers 



The logical structure on the other hand is a program Sl that has a syntac- 
tic structure that allows for simple verification. As observed for instance in 
[EF82, SdR87, JZ92b, JZ92a, ZJ94, JPXZ94, FPZ93] the “logical” structure, 
i.e. the structure that one would use to explain the protocol, often appears to 
be sequentially phased, that is, as a program of the form: 

Sl = [Pl,l II • • • II Pn,l] ■,■■■■, [Pl,m II • • • II Pn,m-] 

One of the aims of this paper is to explain under which circumstances such se- 
quentially phased programs Sl are actually equivalent to their corresponding 
distributed version Sd, where “equivalence” is to be understood here as: “com- 
puting the same input-output relation”. In this paper we consider both shared 
variable programs and programs with explicit communication commands. The 
latter class is regarded here as a subclass of all shared variable programs, where 
shared variables are used only in the form of communication buffers and syn- 
chronization flags, so to say. The techniques for shared variables remain valid for 
communication based programs, but, due to the restrictions, a more attractive 
formulation is possible than the transformation laws for general shared variable 
programs. This is the principle of communication closed layers, originally pro- 
posed in [FF82]. Informally for a program Sl as above, a sequential phase of 
the form L, =' [Pi^, || ••• || Pn,i], for some i such that 1 < * < m, is called 
communication closed if for every communication channel c the number of send 
commands executed inside P, equals the number of receive commands for c 
inside i,. The communication closed layers law claims that when all sequential 
phases P,, for 1 < f < m, are communication closed, then Sl is equivalent to the 
distributed version Sd. Technically speaking this law can be justified from the 
laws for commuting actions. In practice however, “counting” send and receive 
actions is often simpler than reasoning directly in terms of commuting actions. 
Moreover, communication closedness is a property that can be checked for each 
sequential phase in isolation, that is, without consideration of other phases. For 
(general) shared variable programs on the other hand, one has to reason about 
ordering of non-commuting actions across sequential phases. 

The techniques used in this paper are based on precedence relations among 
occurrences of program actions. Basically, such properties have the form “ai 
precedes 02 ”, with meaning that in every possible computation of the program 
the points where ai is executed all precede the points where 02 is executed. The 
question is how to deal with this class of properties within proofs in the style of 
the Owicki-Gries method. In principle, the Owicki-Gries method uses assertions 
on states, whereas precedence properties are assertions that are interpreted over 
computations. For instance, an assertion that asserts that “all occurrences of 
action ai precede all occurrences of action 02 ” cannot be interpreted as being 
“trae” or “/afse” in an arbitrary program state cr. A possible solution is to 
introduce a boolean typed auxiliary variable for action 02 , that we will call 
^'' 02 . occurred" , and which is set to ^Hrue" as soon as action 02 is executed. In this 
way, the above precedence relation could be verified by means of an Owicki-Gries 
style proof outline where ai has a precondition that implies “~<a 2 .occurred" . We 




Compositional Transformational Design for Concurrent Programs 611 

prefer to give a more systematic approach, based on so called temporal logic 
[MP92, Lam83b]. This is a logic with formulae (p interpreted over computations, 
rather than states, and which is perfect for formulating precedence properties. 
We use only a small fragment of linear time temporal logic, with operators 
that refer to the past history of a given state. Other models, based on partial 
orders, like in [Pra86, Maz89, Zwi91, JPZ91, JZ92a, FPZ93, ZJ94, JPXZ94] are 
often used, and are slightly more natural for dealing with precedence relations 
among actions. (In essence, a computation in the partial order model of for 
instance [JPZ91] can be seen as a collection of actions together with a set of 
precedence relations on these actions.) Closely related are logics like Interleaving 
Set Temporal Logic (ISTL) [KP87, KP92]. 



1.1 Related work on Communication closed Layers 

Stomp and de Roever [SdR87, SdR94] introduce what they call a principle for 
sequentially phased reasoning which allows for semantically defined layers that 
should correspond to the intuitive ideas of the designers. In [Sto89, Sto90] this 
principle is applied to the derivation of a broadcast protocol. Chou and Gafni 
[CG88] group classes of actions and define a sequential structure on such classes 
(so-called stratification). Both approaches are closely related to the idea of com- 
munication closed layers for communication based programs introduced by Elrad 
and Prancez [EF82] and studied in [GS86]. In [JZ92a] an explanation of [GHS83] 
is given, inspired by ideas from [SdR87, SdR89], based on layered composition, 
sometimes called “conflict (based) composition” or “weak sequential composi- 
tion” [JPZ91, FPZ93, RW94]. Layer composition of the form Si • 52 is a program 
composition operator like parallel or sequential composition, that is useful for 
composing “sequential phases” or “communication closed layers”. The idea is 
that when a program of the form 5i • 52 • • • • • 5„ runs as a “closed system” , 
that is, without interference by other parallel programs, then the input-output 
behavior is the same as that of the sequential program 5i ; 52 ; • • • ; 5„. There- 
fore, it can be analyzed and shown correct by means of classical Hoare’s logic for 
sequential programs, at least at this level of detail. On a more detailed level of 
design the components 5i, 52, . . . , 5„ themselves can be parallel programs. The 
layer composition operator then turns out to be different from ordinary sequen- 
tial composition: actions ai and 02 from different layers are sequentially ordered 
only if tti and 02 are non- commuting. Using the layer composition operator one 
can describe the distributed version Sd and the sequentially phased or layered 
version Sl that we discussed (using sequential rather than layer composition) 
above, as follows: 

Sd = [(Pl,l . Pl,2 • • • • • Pl,m) II • • • II (Pn,l . Pl,2 • • • • • Pn,m)-] 

Sl = [Pl,l II ••• II Pn,l]» ■■■ •[Pl,m II ••• II Pn,m-] 

A generalized version of the communication closed layers (CCL) law was pro- 
posed in [JPZ91], for shared variables rather than communication however, and 
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based on layer composition rather than sequential composition. The side con- 
ditions (in [JPZ91]) for the CCL law are that actions from must commute 
with actions from unless i = k oy j = 1. Under these conditions the pro- 
grams Sl and Sd are semantically identical, that is, they have identical sets 
of computations. This certainly implies that Sl and Sd have the same input- 
output relation, but it is a stronger property than just that: it also implies that 
Sl can replace Sd, or vice versa, in arbitrary contexts, including contexts where 
processes run concurrently with Sl or Sd- That is, the equivalence between Sl 
and is actually a congruence. On the other hand, when one replaces layer 
composition in and Sd hy sequential composition, then, under the same side 
conditions, input-output equivalence is still guaranteed, but this equivalence is 
not preserved when processes run concurrently. That is, Sl can be replaced by 
Sd within sequential contexts only. One does not expect the correctness of such 
algorithms to be preserved when run in an arbitrary concurrent context that 
could read and modify the shared variables used by the algorithm, so this seems 
to be not a very severe restriction. When an algorithm like “set partitioning” 
would be incorporated into a larger concurrent program, then one would take 
care that no interference would be possible between the algorithm and the rest 
of the system, for instance by declaring the shared variables of the algorithm 
to be “private” variables [MP92] of the algorithm. For programs like the two- 
phase commit protocol the situation is more complex. A protocol like this one 
is usually only a small part of more elaborate protocols, for instance a protocol 
dealing with reliable atomic transactions in distributed databases [BHG87]. In 
such cases the final (distributed) algorithm has to be combined with other pro- 
tocols that interact in a non-trivial way. In such situations one needs either a 
congruence between layered and distributed version of the protocol, or else one 
must be careful when combining protocols. Mechanisms for combining protocols 
that do not depend on compositional program operators, and therefore do not 
depend on congruence properties, are discussed in [BS92, CM88, Kat93] 

Overview In section 2 the syntax is introduced and the semantics is given in 
section 3. The small fragment of temporal logic which is needed for formulating 
the communication closed principle is discussed in section 4. In sections 5 and 
6 several versions of the CCL laws are formulated. A generalization of the CCL 
laws for loops is given in section 6.1. An examples of program transformation is 
given in section 7, where a well known set partitioning algorithm is discussed. 

2 Syntax and informal meaning of programs 

We introduce a small programming language which is is in essence a variation 
of the well known guarded command languages for shared variable concurrency. 
A novel point here is that guarded assignment actions are named by means of 
a (unique) label in front of them. We use variables x, expressions e, boolean 
expressions b, channel names c, and for action names we use a. The syntax is 
given in table 1 below. 
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Table 1. Syntax of the Programming Langnage 

Actions act ::= (b ^ X := e) \ send(c, e) | receive (c, a; ) 

Programs S ::= a : act \ Si ; S2 \ if 61 — )■ Si fl &n — t Sn fl | 

do 61 ^ Si D 6n ^ Sn Od I [Si II S2] 

Closed programs Sys ::= (S) 



We use assignments boolean guards “6” and assignments without a guard of 
the form “S := e” as straightforward abbreviations of guarded assignments. We 
require that all action names a within a program S are unique. In practice we 
suppress most of these labels and we put only labels in front of those actions 
that are referred to in formulae that are used to specify and verify the program. 
Formally speaking we assume in such cases that, implicitly, some labeling scheme 
is used that assigns unique names to all unlabeled actions. We refer to [Lam83a] 
for an example of such a labeling scheme. 

We assume that communication channels are unidirectional and point-to-point 
channels. The send and receive commands model asynchronous send and re- 
ceive commands for a channel with a one-place buffer. Informally, send(c, e) 
evaluates expression e and sends the result along channel c, where it is tem- 
porarily stored in a one-place buffer. In case the buffer is filled up already, the 
send command waits until it is emptied. The receive action receive(c, a:) waits 
until a message is put in the buffer associated with the channel, retrieves it, 
and stores the message in a variable x. The send and receive commands are 
therefore abbreviations: 

send(c, e) =* {-^c.full c.full,c.buf := true,e) 

receive(c, a:) =* {c.full c.full,x := false, c.buf). 

For closed programs we assume that initially all “semaphores” of the form c.full 
associated with communication channels c are set to false”, denoting that chan- 
nels are empty initially. Formally speaking, we take care of this by assuming that 
the preconditions of Hoare formulae for closed programs implicitly a conjunct of 
the form -ic.full for all relevant channels c. 



3 The semantics of programs 



A reactive sequence models a computation of a system which takes into account 
possible interactions by parallel components. This is modeled using “gaps” when- 
ever two subsequent computation steps have non-identical final and initial states. 
So we use reactive sequences 0 of the form: 



{(To (t'q){(Ti A (t[) . . . {(Ti-I ^ ^ <r'i+i) ■ ■ ■ 



Here, (t, and (t[ are the initial and final state of the i — th step, whereas a, 
is the name (i.e. the label) of the action being executed for the i — th step 
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We provide here a semantics which defines the reactive sequences for 

terminating computations of S. It is possible to define deadlock behavior and 
divergent computations in a similar style, but since we are aiming here at partial 
correctness only, we won’t need those here. 

Definition! (Reactive event seqnence semantics). 



— 'R.Ala : {b ^ X := e)] =* {{a cr') \cr \=h A cr' = f{cr)}, where the state 
transformation / is the meaning of the assignment x := e. 

— 'R.A\Si ; 52 ] =* 7?..4.|5i] 'R,A\S 2 \ , where ^ is the operation of concate- 

nation of sequences, pointwise extended to sets of reactive sequences. 

-TlAlit fi ,] = 

— Let = TZA |-i6i A • • • A -i6n ] , and 

let = nAl'ii hi 5iQ6n 5„ fi ] for i > 0. 

Then 7?,.4.|do 61 5i[]6„ 5„od] =* I * > 0} 

— TZAl^Si II 52 ] =* 7?..4.|5i] II 7?,.4. |52] , where || denotes the operation of 
interleaving of reactive sequences. 

Finally, we define the semantics of closed systems. We say that a reactive se- 
quence 6 of the form 



{(To -4 <t'o){<Ti -4 (t'i) .. . {(Ti -4 (t')((T,+i ^ <^'i+l) ■ ■ ■ 

is connected iff (t[ = for all indices i such that both (t[ and (Tj+i belong to 
0. For a closed system (5) no interaction with parallel components from outside 
of S is assumed, hence we require that for such closed systems the reactive 
sequences don’t contain “gaps”, i.e. are connected. 

— The reactive sequence semantics TZA |(<S')] of a closed system (5) is defined 
as 7?..4,|(5)] =' {6 e 7?..4,|5] | 6 is connected}. 

Finally, we define the input-output semantics O |5] , based on the reactive se- 
quences semantics. First we define an auxiliary function TO{r)) for reactive se- 
quences rj, that constructs the initial-final state pair from a (finite) reactive 
sequence: 

IO{{(To ^(t'o)--- {(Tn = (o-Q, 

The O |5] semantics of systems is then easily determined from the reactive 
sequences for the corresponding closed system (S): 



015 ] ={IO(ri)\riGnAl{S)}} 
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Table 2 . Syntax of the Temporal Logic fragment TL 



TL formulae <f> ::= a \ <f>i A <f>2 \ t ^2 | 

I I 0^ I I 



4 Partial orders and temporal logic 

Programs are specified here within a subset of temporal logic. [Pnu77, Lam83b, 
MP84, MP92, MP95]. In this paper we use a variant of so called past time 
temporal logic, to specify partial order constraints among actions. The syntax 
of the fragment of temporal logic that we use is given in table 2. In this table, 
a denotes an action name. We use standard abbreviations, such as (pi V <p 2 for 
-I (-101 A -’02)- Moreover, we use 0i => 02 for the temporal formula n(0i 02). 
We define a type of correctness formulae of the form S psat 0, where S 
denotes a program. The formula S psat 0 denotes that all reactive sequences 
of S satisfy temporal logic formula 0. Similarly, (5) psat 0 denotes that all 
reactive sequences of (5), that is, all connected reactive sequences of 5, satisfy 
the temporal formula 0. We remark that in the literature on temporal logic of 
reactive systems one uses a different type of correctness formulae of the form 
“5 sat 0”. (Often one simply specifies the temporal formula 0, and leaves the 
system 5 implicit). Such formulae require a temporal logic formula 0 to hold for 
all finite and infinite computations of system 5. Our “ psat ” relation requires 
0 to hold for terminating computations only, and therefore is suited only for 
partial correctness properties, i.e. properties that should hold provided that a 
computation terminates. 

Let 0 = {(To ^ (t'q) .. . {(Tn ^ ( t ( j ) G 77..4.|5] be a reactive sequence of a program 
5. We define the relation {0,j) |= 0 (“ 0 holds at position j in sequence 9”) for 
all i, 0 < j < n, as follows: 

— For action names a, we define: 

{6,j) 1= a iff Oj = a. 

— For boolean connectives we define: 

i^,j) 1= 01 A 02 iff {9,j) 1= 01 and {9,j) |= 02, 

{0,j) 1= 01 ^ 02 iff (9,j) 1= 01 implies {9,j) |= 02, 
i^,j) 1= -'0 iff not (6>,j) 1= 0, 

— For temporal operators we define: 

j) 1= D0 iff ^) N 0 fo’^ all k, j < k < n 

{^1 j) 1= 00 iff (^) k) 1= 0 for some k, j < k < n 
(9,j) 1= U(p iff {6, k) 1= 0 for all fc, 0 < k < j. 

1= ^0 iff (^) ^) 1= 0 foi' some fc, 0 < k < j. 
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Definition 2 . 

We define the meaning of a correctness formula as follows: 

S psat (p iff for all 6 € TZA | 5 ] , {6, 0 ) |= 4>. 

( 5 ) psat (p iff for all rj € TZA |(<S')] , (r?, 0) |= (p. 

□ 

According to the semantics, every reactive sequence of ( 5 ) is also a possible 
reactive sequences of S. This fact, combined with the definition of the psat 
relation, then implies the following result: 

Theorems (Prom open to closed programs). 

If S psat (p is valid, then ( 5 ) psat (p is valid. 

We introduce an ordering relation on actions, that play a major role in the 
program transformations we discuss later in this paper: 

Definition 4 (Action ordering). 

We define the weak precedence relation ai -» 02: 

def . 

ai -» tt 2 = ai => -'♦02. 



□ 

(Note that according to our conventions, ai -» 02 is the formula n(ai ~'^a2)-) 
Informally, ai -» 02 requires that when both ai and 02 occur in one execution 
sequence, then all ai occurrences precede all 02 occurrences within the execution 
sequence. Note that the relation does not require that ai or 02 to be executed 
at all; for instance, an execution sequence with some 02 occurrences but no 
occurrences of ai does satisfy “ai -» 02”. (This explains why the ordering is 
called “weak”.) Weak precedence is expressed by a temporal logic formula. The 
question is: how does one verify such formulae , and in particular, how does one 
verify ai => -■♦02 within the Owicki-Gries style proof method? Let us assume 
that we have a program S with actions ai and 02 , and we would like to verify the 
property ai -» 02. Intuitively, one would like to construct a proof outline for S 
where the precondition for action ai, say pre(ai), would imply the formula ->♦02. 
Formally speaking this wouldn’t be possible since pre(ai) is a state formula, 
whereas a temporal formula like -■♦02 cannot be interpreted in a single state. 
Fortunately, the formula that we are interested in is expressed by means of past 
time operators only, and therefore we can transform it into a state formula by 
introducing auxiliary variables. In this case we introduce a boolean auxiliary 
variable “a2.occ” that records whether 02 did occur at least once thus far, or 
not. Let action 02 be of the form (62 ^2 := 62). Then we modify the program 

S and construct a proof outline for 5 , as follows: 

— The action 02 in S is replaced by (62 ^ X2,a2-occ := €2, true). No other 
assignments to a2.occ are added within S. 

— Construct a proof outline {p}A( 5 ){g}, of S such that p -102. occ and 

pre(ai) -<a2.occ. 
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Then S satisfies the condition ai -» 02- 

Theorems (Verifying action ordering). 

Let pf =* {p}j 4 ( 5 ){g} he a proof outline for a program S, augmented with an 
auxiliary variable a2-occ as described above, such that p -<a2.occ. Let the 
precondition for action ai in this proof outline be denoted by pre{ai) and assume 
that pre(ai) -<a2.occ is a valid formula. Then (S) psat ai -» 02 a valid 
correctness formula. 

The last theorem begs the question why one would use weak precedence relations 
to verify programs. After all, the theorem suggests that you already must have a 
proof outline in order to show that certain precedence relations hold. However, 
the strategy that we propose is as follows: 

— First, set up a proof outline that is used only to verify weak precedence 
properties. That is, this proof outline does not show the correctness of the 
program with respect its specification by means of the pre- and postcondi- 
tions p and q. Therefore, this proof outline can usually be fairly simple. 

— Second, after having verified the necessary precedence properties, forget the 
first proof outline, and use the precedence properties in combination with one 
of the communication closed layers laws, that is discussed later on in this 
paper, to transform the original distributed program Sd into a simplified 
layered version Sl. 

— Finally, use new proof outlines to show the correctness of the layered version 
Sl with respect to the original specification of the program. 

In practice the proof outlines needed to verify precedence properties follow a few 
predefined patterns. 

Theorem 6 (Ordering caused by sequential composition). 

Assume that Si is a program containing action ai and S2 is a program containing 
02. Let C{-] he a program context such that within a program of the form 
the S component is not inside the body of a loop construct. Then: 

((^[Si ; 52]) psat ai ^ 02. 

Weak precedence is not a transitive relation, that is, from ai -» 02 and 02 -» 03 
it does not follow that ai -» 03. To see this, consider some execution sequence 
with no 02 occurrences at all. Then ai -» 02 and 02 -» 03 both hold, trivially. 
But of course a\ -» az need not hold. This “counterexample” suggests a useful 
theorem. Assume that the system satisfies the formula 0a2, so we know that in 
every execution sequence at least one 02 event occurs. Informally, we say that 
“tt2 is unavoidable''' . Now if in this situation the relations ai -» 02 and 02 -» az 
are valid, then we may conclude that ai -» az is valid too. To prove this, assume 
to the contrary that there would exist an execution sequence where some ai 
event occurs that is preceded by some az event. We know that some 02 event is 
bound to occur also. By the ai -» 02 and 02 -» az relations, it follows that this 
02 event should follow the ai event and precede the az event. This contradicts 
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the assumption that the as event would precede the ai event, and so, by reductio 
ad absurdum, we conclude that ai -» as must be valid. We formulate a theorem 
that is a simple extension of what we have shown: 

Theorem 7 (Properties of action ordering). 

Let ai and 02 be action names and let a, where i G I for some finite index set 
I be action names. If S psat (ai hi , S psat hi -» 02, for all i G I, and 
S psat (Oai A 0 « 2 ) then S psat ai -» 02 holds. 

We do not aim at formulating a complete proof system for temporal logic here. 
Rather, we provide a few simple rules that we need, mainly in combination with 
rules for order constraints as above. 

Theorems (Properties of <))• —a: act psat ()a 

— If Si psat then, for any S2, Si ; S2 psat (}a and S2 ; Si psat (}a 

— If Si psat then, for any S2, Si || S2 psat (}a and S2 || Si psat (}a 

— If Si psat Oai for i = 1 .. n, then if W'f^^bi ^ Si fi psat 



5 The Communication Closed Layers laws 

We discuss a group of related program transformations, collectively referred to 
as “communication closed layers laws” (CCL-laws). The phrase “communication 
closed” stems from a paper by T. Elrad and N. Francez [EF82], where commu- 
nication closedness of CSP programs was introduced. We refer here to a more 
general setting where we ask under which conditions an arbitrary program Sl of 
the form [5q,o || <S'o,i] ; [<S'i,o || <S'i,i] can be considered equivalent to a program 
Sd of the form [5q,o; <S'i,o || <S'i,i]. The interest lies in program development 

where one starts off with sequentially layered programs Sl, which are considered 
simpler to design and verify than distributed programs Sd. After Sl has been 
verified, it is then transformed into the form Sd. There are a number of related 
transformation laws, where the variation originates from the following factors: 

— The variation in communication mechanisms: CSP style communication or 
shared variable based communication. 

— The side conditions under which the equivalence holds: there is a choice be- 
tween simple syntactic conditions and more complex verification conditions, 
where the latter are applicable in more general situations than the simple 
ones. 

— The notion of equivalence that we are interested in: We require that “equiva- 
lent” programs have the same input-output relation when we consider them 
as state transformers. This implies that equivalent programs satisfy the same 
Hoare formulae for partial correctness. A much stronger requirement is that 
programs are considered equivalent if they have the same reactive sequence 
semantics. If Si and S 2 are equivalent in this stronger sense then any tem- 
poral logic formula satisfied by Si would also be satisfied by S 2 and vice 
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versa. Moreover, we know that semantic equality yields not only an equiv- 
alence but even a congruence. Despite the obvious advantages of program 
congruence there is also a serious disadvantage: if “equivalent” programs are 
required to have identical computations, then not much room for interesting 
transformations remains. In this paper we focus on equivalence in the sense 
of identical input-output behavior. 

Definition 9 (lO-eqnivalence). 

We define lO-equivalence, denoted by Si S2, iff O | 5 i] = O |52] . 

The soundness of various transformation laws can be shown by considering 
action labeled computations TZA | 5 ] of programs. Prom the definition of 10 - 
equivalence and the definitions of the semantic functions it follows that 10- 
equivalence between Si and S2 holds iff the following is true: For any computa- 
tion T] e 7 ?.. 4 ,|( 5 i)] , respectively, (7?..4,|(52)] ) of the form 

((To ^ (Ti)((Ti ^ (T2) ... {(T„_l (T„), 

there is a computation rj' € 7?..4.|(52)] , respectively, ( 7 ?,. 4 .|( 5 i)] ) of the form 

{(To (t'i){(t'i A a'2) . . . {(t'^_1 a (T„). 

That is, for any computation rj starting with an initial state (Tq and terminating 
in a state (t„ that is possible for one of the two programs, there is an 10- 
equivalent computation rj', i.e. with the same initial and final state, for the other 
program. Note that lO-equivalent computations need not go through the same 
intermediate states, and that they need not be of the same length. 

Theorem 10 (Sequential contexts). 

Let S and S' be 10 - equivalent programs and let C'[-] be a context such that S 
is not a statement within a parallel component of C[S], i.e. S is not within the 

scope of a parallel composition operator of C[S]. Then (^[S] 

Informally this means that although lO-equivalence is not a congruence, it can 
be treated as a congruence within sequential contexts. 

5.1 CCL laws for shared variables 

The CCL laws for shared variables are based on the fairly simple idea of syn- 
tactically commuting actions. First, let a be the name of some {b ^ x := e) 
action. We define the set of read variables R{a) =' var{b) U var{e), and the set 
of write variables W{a) =' {x}. We say that two actions Oi = {bi Xi := ei) 
and tt2 = (62 X2 ■= 62) are syntactically commuting if the following three 
conditions are satisfied: 



1. W(ai)nJ?(a2) =0, 

2 . W(a2) n R{ai) = 0 . 
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3 . W{ai)r]W{a2) = 0 . 

Actions which do not syntactically commute are said to be in conflict and, 
depending on which condition above is violated, we speak of read-write or write- 
write conflicts. When ai and 02 are in conflict we denote this by ai — 02 and 
otherwise, i.e. when they commute syntactically, we denote this by ai-/-a2- 

Definition 11 (Concnrrent actions). 

Two actions ai and and 02 occurring in S are called concurrent actions if there 
are two different parallel components Si and S2 of S such that ai occurs in Si 
and tt2 occurs in S2- This means there exists statements Si and S2 such that the 
statement [ 5 i || 52] occurs within 5 , ai is an action of Si, and 02 is an action 
of 52 . □ 



A principal property of commuting concurrent actions is the following: 
Lemmal 2 (Commuting actions). 

Let ai and 02 be concurrent actions of a closed program (S) and suppose that ai 
and 02 are syntactically commuting actions, i.e. Oi -/-a2. Let rj € 7 ?.A.|( 5 )] he 
a computation of (S), of the form: 



((To (Tl) . . . ^ (Tj)((Tj ^ (Tj+i)((Tj-|-i ^ (Tj+2){<Tj+2 ^ . . . 



Assume that for some index i, event a, is an occurrence of action ai, and aj_|_i 
is an occurrence of 02. Let rf he defined as rj with a, and a,+i exchanged, i.e. of 
the form: 



((To (Tl) . . . {(Tj_i ^ <yi){<yi ^ < t '_|_ j ^)(( t '_|_ j ^ ^ (Tj+2)(<Tj+2 ^ (Tj-i-s)... 



(Note that T]' determines the same sequence of states except for state <t'_|_j^ that 
in general will differ from <Ti+i.) We claim that rf too is a computation of ( 5 ), 
that is: rf € TZA |( 5 )] . 

The next theorem is the first example of a CCL law. It is based on independence 
of program fragments, where we define Si -/-S2 as: for all actions Oi occurring 
in Si and all actions 02 occurring in S2 we have that ai-/-a2. 

Theorem 13 Communication Closed Layers- 1 . 

Let Sl and Sd be programs defined thus: 




and 
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Sd = 



■5o,o 




*^0,m 


_ *^n,0 




*^n,m _ 



Assume that Sij -/-Siiji for i ^ i' and j ^ f , then Sl Sd- 
The intuitive justification of this law is simple: Consider the simple case 
Sl = [5o,o II 5o,i] ; [5i,o || 5i,i] 



and 

Sd = [5o,o ; 5i,o || 5 q,i ; 5i,i] 

It will be clear that any computation for {Sl) is also a possible computation 
for {Sd)- The reverse does in general not hold, since, for instance, 5 i,o actions 
can occur as soon as the 5 q,o part has terminated, so possibly before the 5 q,i 
part has terminated. However, since it is assumed in the above theorem that 5 q,i 
actions and 5 i,o actions commute syntactically, such computations are equivalent 
to computations where 5 i,o actions occur only after all 5 q,i actions, that is, 
such {Sd) computations are equivalent to some {Sl) computation. The theorem 
follows as a simple corollary from our second CCL law, that we discuss next. 
Assume that we have programs Sl and 5 u as above, but this time assume, for 
instance, the condition 5 i,o does not hold. That is, there are actions 

ai in Sifi and 02 in 5 q,i such that ai — 02- In general, an Sd computation 
where an instance of 02 precedes an instance of ai will not be equivalent to any 
Sl computation. Let us assume however that (for all such pairs of conflicting 
actions) we can show that Sd satisfies the formula ai -» 02; that is, 02 instances 
simply do not precede ai instances. Then reasoning as above shows again that 
Sd computations can be shown to be equivalent to computations via the 
technique of permuting occurrences of commuting actions. 

We introduce some extra notation in order to formulate our second version of the 

c 

CCL law. For actions ai and 02 let ai -» 02 abbreviate the formula ai -» 02 if 

ai — tt2, and let it denote ^Hrue" otherwise. We extend the notation to programs: 

c 

Sl -» S2 abbreviates the following formula: 

/\{«i -» tt2 I ai occurs in Si, 02 occurs in 52} 



Informally, Si -» S2 expresses that ai events precede those 02 events that are 
conflicting with them. 
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Theorem 14 (Communication Closed Layers-2). 

Let Sl and Sd be programs defined thus: 



Sl = 



Sd = 



'So,o 




*^ 0 ,m 


_ *^n ,0 




*^n,m _ 



Assume that Sd psat -» Si'ji) for all i < i' and j ^ f . Then 

Sl = Sd. 

Example 1 (Communication closed layers). 

Consider the program S given by 



Z 


= 2 


X 


:= 2 


Pi 


P(s) 


Vi 


F(s) 


w 


:= 1 


V 


:= 1 


P2 


P(s) 


V2 


F(s) 


z := 


a: -1- 1 


V : = 


ra -1- 1 



One can show that, under the implicit assumption that initially s holds, S sat- 
isfies the ordering: 

(5) psat Pi -» Vi -» P 2 1^2- 
Moreover using the theorems above one can deduce 

(5) psat OPi A OVi A OP 2 A OF 2 

Introducing action labels for conflicting events and the ordering and eventuali- 
ties, cf. theorem 6 and 7, one can easily deduce that S is lO-equivalent with the 
layered program Si ; S 2 with 

z := 2 X := 2 
Sl = Pi : P(s) Vi : V(s) 



w := 1 



V := 1 




and 
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■ P 2 : P(s) 


V 2 : V(s) ■ 


z := X + 1 


n := ra -b 1 



This lO-equivalent layered version readily implies that S satisfies 



1= {s}5{^ = 3 A V = 2} 



5.2 CCL law for communication based programs 

In this section we consider distributed programs in which the components only 
communicate with each other through send and receive actions. The CCL law for 
such communication based programs is based on the notion of communication 
closed layers. Assume that we have programs 

Sl = [5o,o II 5o,i] ; [5i,o || 



and 



Sd = [5o,o ; 5i,o II 5o,i ; 5i,i]. 

IQ C 

The CCL law states that Sl = Sd, provided that Sd psat (5q,o -» <S'i,i) A 

c 

(<S'o,i <S'i,o). In general, the conditions on Sd for this property to hold are 

not always so easy to verify. However, assume that communication between 
(5q,o ; <S'i,o) and (5q,i ; <S'i,i) is by means of explicit send and receive com- 
mands only, i.e. there are no shared variables except for variables associated 

with communication channels. We call a single layer, such as Lq = [<S'o,o II ‘S'o,!], 

communication closed if it has the following properties: 

— For any channel c, one of 5q,o and 5q,i contains all the send actions, and 
the other one contains all the receive actions. 

— For each send event for some channel c, there is a “matching” receive event. 

By “matching” we refer to a simple counting argument: the number of send 
events for channel c is the same as the number of receive events for c. We claim 
that when both Lq =* [<S'o,o || ‘S' 0 , 1 ] and Li =* [5i,o || <S'i,i] are communication 

c c 

closed layers, then the side conditions of the form (5q,o -» <S'i,i) and (5q,i -» <S'i,o) 
are satisfied. In general, the number of send or receive actions actually executed 
might depend on the initial state for a particular layer. Before we can deal with 
this extra complication we must discuss lO-equivalence and transformations that 
rely on preconditions. 
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6 Assertion based program transformations 

We introduce generalizations of the communication closed layers laws that de- 
pend on side conditions that are based on assertions. To be precise, we introduce 
laws that are of the form “5i is equivalent to S 2 , provided these programs start 
in an initial state satisfying precondition pre”. Let us assume that we have a 
program of the form where C'[-] is the program context of Si. If we want 

to transform this program into C[52] by applying the transformation law, then 
it will be clear that one has to show that, within the given context the 

required precondition pre holds whenever Si starts executing. We first introduce 
a generalized version of the operation semantics, which is in essence captures the 
semantics of a program provided that it starts in a state satisfying a given pre- 
condition. Formally speaking, we define a semantic function O |(pre, 5)] that 
maps pairs consisting of a precondition and a program to sets of state pairs. We 
use the notation O |{pre}5] , rather than O |(pre, 5)] : 

Definition 15 (Precondition based semantics). 

O |{pre}5] = {((T, cr') \ cr |= pre A cr' = val{r)) A rj £ TZA |{5)] cr} 

□ 



Definition 16 (Precondition based lO-eqnivalence). 

We define precondition based lO-equivalence between programs, denoted by 

= {P 2 }S 2 iff o [{pi}5il = O [{p2}52] . □ 

For the next series of definitions we assume that extra auxiliary variables ^‘'c.sent" 
and “c.received''' have been introduced for all relevant channels c, acting as coun- 
ters for the number of times that send and receive actions have been executed. 
The send and receive abbreviations incorporating updates to these auxiliary 
variables then become as follows: 

send(c, e) =* {-ic.full c.full, c.buf , c.sent := true,e,c.sent + 1) 

receive(c, a:) =* {c.full -A- c.full, x,c.received := false, c.buf ,c.received + 1). 

We assume that the preconditions of Hoare formulae for closed programs im- 
plicitly conjuncts of the form -<c.full and c.sent = c.received = 0, denoting that 
initially all channels are empty, and no messages have been sent. 

In previous sections we have dealt with communication closedness for shared 
variable programs. We now reformulate this notion for programs that rely solely 
on send and receive commands for communication between parallel compo- 
nents. Formally speaking we have defined send and receive as abbreviations of 
shared variable actions; our definition below is consistent with the definition of 
communication closedness that we gave for shared variables. A new aspect, that 
was not discussed for shared variables, is the introduction of preconditions. 
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Definition 17 (Commnnication closedness). 

A program S with precondition pre is called communication closed for channel 
c iff the following Hoare formula is valid: 

{pre A c.sent = c.received} S {c.sent = c.received}. 

A program or layer with precondition pre is called communication closed if it is 
communication closed for all of its channels. □ 



Theorem 18 (Commnnication Closed Layers-3). 

Let Sl and Sd he communication based programs, and let Sl he annotated thus: 



{Po} 

[^0,0 II ••• II 5o,„] 

{Pi} 




and 



{Pn} 



[5„ 


,0 II ••• 


II 




'5o,o 




*^0,m 


Sd = 










_ *^n,0 




*^n,m _ 



Assume that each layer with precondition 



Li = {pi} [Si, 0 II ••• II Si,m] 



is communication closed. Then {poj'S'i, = 



{po} Sd- 



6.1 Loop distribntion 

In this section we will derive certain laws for distributing loops over parallel 
composition. Conditions will be given under which a loop of the form 

do b [5i II 5a] od 

can be considered equivalent to a distributed loop of the form: 

[do hi Sl od II do 62 ^ S 2 od] 

Such a transformation is not valid in general, but depends on the relation be- 
tween the guard b and the guards bi and 62 , and an appropriate loop invariant. 
The loop bodies Si and S 2 should satisfy the CCL-condition. And finally vari- 
ables of the guard bi should be local variables of the loop body 5,. 
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Theorem 19 (Loop transformations). 

Consider a program do b ^ [5i || 52] od, guards 61,62? o,nd assertions p,q,I 
with the following properties. 

1 . I is a loop invariant, i.e. 



H {/ A 6}[5i II 52]{J}, 

2 . \=p ^ I, 

3 . The variables of b, are contained in the local variables of Si, * = 1,2, and 
moreover the following is valid: 

\= I => (6 -H- 61) A (6 -H- 61). 

4 - {-6}[5i II 52] is communication closed. (In particular we assume that no 
shared variables are used except for those implementing the channels.) 

Then 



{p} do 6 ^ [5i II 52] od 
10 

{p} [do 61 Si od II do 62 S2 od] 
and {p} [do 61 Si od || do 62 S2 od] is communication closed. 

7 Set partitioning revisited 

In this section a variation of the well known set partitioning algorithm is devel- 
oped. We start with a provably correct top-level layered system, and afterwards 
transform this layered system, meanwhile preserving correctness, to a distributed 
version. The pre- and post-specification of the set partioning algorithm is given 
by 

{5 = 5o7^0AT = To7^0A5nT = 0 } 

P 

{| 5 1 = 1 5o I A I T 1 = 1 To I A 5 U T = 5o U To A max{S) < min(T)} 

The initial version of this algorithm is based on a shared variables: 

[max := max(5) || min := min(T)] 

1 

do max > min 

[5 := (5 — {max}) U {min} || T := (T — {min}) U {max}] 

[max := max(5) || min := min(T)] 

od 

One can easily show that the above program is correct with respect to the 
desired pre- and post-specification. Since we are aiming at a distributed version. 
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where sharing of variables like min and max is not possible, we introduce some 
extra variables mn and mx that, in the distributed version, will be used for 
maintaining local copies of min and max. This leads to the following program, 
which will be the starting point of the design and transformation strategy. 

min := min(T)] 

[receive (C, ms) || send{D , min)]] 

T := (T — {min}) U {ms}] 
min := min(T)] 

I L [[send((7, mas) || receive(Z), mn)] || [receive(C, ms) || send(D, min)]] 

[ od 

The partial correctness of the above program can be shown using the following 
loop invariant: 

J = I 5 1 = 1 5o I A I T 1 = 1 To I A 5 U T = 5o U To A 
mn = min = min(T) A mx = max = max(5). 

The next step is that we we transform the initialization phase, preceding the 
loop. 

[max := max(5) || min := min(T)] 

1 

[[send}^, mas) || receive(T), mn)] || [receive (C, ms) || send(£), mm)]] . 

One easily checks that the premises of the communication based CCL law, are 
satisfied. Hence this initialization phase can be transformed into the following 
lO-equivalent program: 

max := max(5) 

[send((7, mas) || receive(T), mn)] 

Next we will transform the loop body 

[5 := (5 — {mas}) U {mn} || T := (T — {mm}) U {ms}] 

[mas := max(5) || min := min(T)] 

[[send (C, mas) || receive(Z), mn)] || [receive (C, ms) || send(T), mm)]] 

to a distributed version. This loop body also satisfies the premises of the com- 
munication based CCL law, theorem 18. Therefore this loop body can be trans- 



min := min(T) 

[receive (C, ms) || send(T),mm)] 



[max := max(5’) 

[[send(C, mas) jj receive(T), mn)] 
do max > min — )■ 

[S := (S — {max}) U {mn} 

[max := max(S) 
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formed into the following lO-equivalent program [Bi || B2], where: 

S := (S — {max}) U {mn} 

max := max( 5 ) 

[ [send(C', maa:) || receive (I?, mn)] 

and 

T := {T — {min}) U {mx} 
min := min(T) 

[send(D,mm) || receive (C, ma:)] 

Finally we want to distribute the guard do max < min [Bi || B2] od over 
the parallel composition. As explained in the section on loop distribution, this 
can be done if we are able to express for each parallel component the global 
guard in terms of local variables, and if the layer Bi || B2 is communication 
closed. In this particular case we can use the auxiliary variables mn, a copy of 
min, and mx, a copy of max, cf. the loop invariant I. Hence we have at the start 
of the loop 

I {max < min -H- mx < min) A {max < min -H- max < mn) 

The second and fourth inequality are expressed using the local variables of B2 
and Bi, respectively. Moreover one can easily check the communication closed- 
ness of the layer Bi || B2- So we can distribute the guard over the parallel 
composition. This yields the following lO-equivalent, distributed and correct 
version of the loop do max < min [Bi || B2] od: 



do max < mn 


do mx < min 


Bi 


B2 


od 


od 



As an intermediate result we have obtained the following program 

[Jn*ti II Init2] 

do mx < min ^-l 
B2 

od 



p — J 

interi — S 



do max < mn 
B, 

od 



B2 = ( 




with: 
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is communication closed. So we can apply the precondition based Communica- 
tion Closed Layers transformation, theorem 18, to the the distributed initializa- 
tion phases and the distributed loops yielding the following distributed program 



Initi 




Init2 


1 

do max < mn 




do mx < min 


Bi 




B 2 


od 




od 



Invoking the definition of Ji, J 2 , Bi and B 2 results in 



max := max(S) 

[send(C, mas) || receive(D, mn)] 
do max < mn — )■ 

Pimpi = S := (S — {max}) U {mn} 

max := max(S) 

[send(C, mas) || receive(D, mn)] 
od 



min := min(T) 

[send(D, min) || receive(C, ms)] 

do ms < min — )■ 

T := (T — {min}) U {ms} 

min := min(T) 

[send(D, mn) || receive (C, ms)] 
od 



And we can conclude that the above program Puimpi is a partial correct imple- 
mentation of the set partioning algorithm. 
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1 Introduction 

This paper focusses on the mathematical theory of state-based reasoning about 
program constructs solely through specifications of their parts, without any re- 
liance on their implementation mechanism. That is, the semantic foundations of 
compositional state-based reasoning about concurrency. The main advantages of 
a purely semantic approach are that: 

— it highlights the very concept of compositional state-based reasoning about 
concurrency without any syntactic overhead, and 

— it serves as a basis for the encoding of the program semantics and correspond- 
ing proof rules inside tools such as PVS which support program verifcation. 

Referring to [4] for the full theory, the present paper illustrates the semantic 
approach for a particular case, namely that of synchronous communication. Our 
own motivation for developing this theory derives from three sources: 

1 . The dramatic simplification which such a semantical theory represents over 
earlier, syntactically formulated, theories for the same concepts, such as, for 
instance, those of Job Zwiers [5]; this simplification was a prerequisite for 
writing [4]. 

2. Confronted with the many tool-based theories for compositional reasoning 
about concurrency, and their applications, such as the PVS-based ones which 
Jozef Hooman contributed to [4] and the present volume, that of Leslie 
Lamport and Bob Kurshan’s [3], or those mentioned in the contribution by 
Werner Damm, Amir Pnueli and al. to this volume, made us wonder which 
compositional theories these authors actually implemented inside their tools. 

3. More generally, the relationship between operational and axiomatic seman- 
tics of programming languages, specifically, the construction of programming 
logics from a compositional semantics; this line of research was pioneered by 
Samson Abramski [1]. 

The approach which is followed in this paper is based on the inductive as- 
sertion method [2] which is a methodology for proving state-based transition 
diagrams correct. R consists of the construction of an assertion network by as- 
sociating with each location of a transition diagram a (state) predicate and with 
each transition a verification condition on the predicates associated with the 
locations involved. Thus it reduces a statement of correctness of a transition 

W.-P. de Roever, H. Langmaack, and A. Pnueli (Eds.): COMPOS’97, LNCS 1536, pp. 632-646, 1998. 

Springer- Verlag Berlin Heidelberg 1998 
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diagram, which consists of a hnite number of locations, to a corresponding hnite 
number of verihcation conditions on predicates. 

The inductive assertion method can be trivially generalized to concurrent 
transition diagrams by viewing a concurrent system as the product of its com- 
ponents and thus reducing it to a sequential system. However this global proof 
method leads to a number of verihcation conditions which is exponential in the 
number of components. 

Compositional proof methods in general provide a reduction in the com- 
plexity of the verihcation conditions. In this paper we investigate the semantic 
foundations of a compositional proof method for concurrent transition diagrams 
based on synchronous message passing. Technically, we combine so-called compo- 
sitionally inductive assertion networks for reasoning about the sequential parts 
of concurrent systems with compositional proof rules for deducing properties of 
the whole system, giving rigorous soundness and completeness proofs for the 
resulting theory. The basic idea of a compositionally inductive assertion network 
is the dehnition of the verihcation conditions in terms of a logical history vari- 
able which records the sequence of communications generated by the component 
(logical variables only occur in assertions, never in programs). The parallel com- 
bination of these compositionally inductive assertion networks is dehned in terms 
of a simple semantic characterization of the variables and channels involved in 
a predicate. (The semantic notion “involved in” of a variable approximates the 
corresponding syntactic notion of occurrence.) More specihcally, the notion of 
the channels involved in a predicate is dehned in terms of a natural generalization 
of a projection operation on histories to predicates. These predicates themselves 
are viewed semantically as sets of states. 

The introduction of a history variable as a logical variable is the main dif- 
ference between noncompositional and compositional forms of reasoning (about 
concurrency). In noncompositional proof methods the program is annotated with 
assignments to so-called auxiliary variables which do not inhuence the control 
how but only serve to enhance the expressive power of the assertions associated 
with the locations of a program. However, as analysis of compositional proof 
methods shows, this is not true for compositional proof methods. There, logical 
variables are introduced, which do not occur in any form inside a program, and 
only occur inside assertions. What happens is that the assignments to auxiliary 
variables are simulated at the logical level by appropriately dehned verihcation 
conditions for the (inductive) assertion networks for the sequential components 
of a program. As a result, these logical variables simulate the local (communica- 
tion) histories of those sequential components. Consequently, the main challenge 
in dehning a compositional proof method for concurrent programs is the formu- 
lation of a sound (and complete) proof rule for parallel composition! For this to 
succeed it is mandatory that the specihcation for a to-be composed component 
only involves the variables and channels which are associated with that compo- 
nent, because such a rule combines the only locally verihed information about the 
component into global information about the whole program, since, otherwise, 
the local specihcation could be invalidated by the other parallel components. 
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This is accomplished by projecting the (communication) histories encoded in 
these logical variables on the actions of that component. This explains also why 
compositional proof methods always involve some form of projection mechanism. 

2 Synchronous transition diagrams 

We consider (top-level) parallel systems the components of which communicate 
by means of synchronous message passing along unidirectional one-to-one chan- 
nels. The control structure of a sequential component is described by means of 
a synchronous transition diagram. 

Formally such a diagram is a quadruple [L,T, s,t), where T is a hnite set 
of locations /, T is a hnite set of transitions [I, a, I'), with a an instruction, and 
s and t are the entry and exit location, respectively. The precise nature of an 
instruction a is explained next. 

Instructions involve either a guarded state-transformation or a guarded com- 
munication. Given an inhnite set of variables VAR, with typical elements x,y, z, . . 
the set of states S, with typical element cr, is given by VAR VAL, where VAL 
denotes the given underlying domain of values. Furthermore, let CHAN he a set 
of channel names, with typical elements c, d . . .. For c G CHAN, e a semantic 
expression, i.e., e G T — ;> VAL, execution of an output statement c!e has to wait 
for execution of a corresponding input statement c7x, and, similarly, execution 
of an input statement has to wait for execution of a corresponding output state- 
ment. If there exists a computation in which both an input statement c7x and 
an output statement c!e are reached, this implies that communication can take 
place and the value of e in the current state is assigned to x. We often refer to 
an input or output statement as an i/o statement. In general an instruction a 
can have the following form: 

1. A boolean condition h G V{S) followed by a state transformation f ^ S ^ 
N, notation: h ^ f. Transitions of this form are called internal transitions. 

2. A guarded i/o-statement. There are two possibilities: 

(a) A guarded output statement c!e, notation: h c\e {h G V{S), e G A — 
VAL). 

(b) A guarded input statement c7x, notation: h c7x (h G V(S)). 

These transitions are called i/o transitions. 

Some terminology: In the sequel sets of states often will be called predicates. 
We have the following semantic characterization of the variables involved in a 
predicate and a state transformation. This characterization is an approximation 
of the corresponding syntactic notion of occurrence of a variable. 

Definition!. A predicate <f) G V{S) involves the variables x if 

— Vcr, a' e A. o-(x) = o-'(x) (a- (E j> a-' G j>) . 

This condition expresses that the outcome of <f) only depends on the variables x. 
Similarly, a function f EE S ^ S involves the variables x if 
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- Vcr, cr' c (t{x) = ^ /(cr)(i) = /(cr')(i) 

- 'icr e s,y ^ X. f{cr){y) = a{y) 

The first condition expresses that if two states cr and cr' agree with respect to 
the variables then so do their images under /. The second condition expresses 
that any other variable is not changed by /. 

For X we will use the notation f[x) and 4i{x) to indicate that / and (f) involves 
the variables x. Note that for any function / which involves x we also have that / 
involves y, for any x <Z y (and a similar remark applies to predicates). Moreover 
we have that if / involves the variables x and y then / involves x C\ y (and 
similarly for predicates). This we can prove as follows: Let cr and cr' be such 
that (t[x n y) = cr' {x H y). Let z = y \ x and a" = [a \ z cr'(z)). So we 
have that cr{x) = cr" (x) and cr" [y) = cr'{y). Since / involve the variables x and 
y it then follows that f{cr){u) = f{cr"){u) = f{cr'){u), for u ^ x H y. In other 
words, f{cr){x C] y) = f{cr'){x H y). Next let u ^ x H y, that is, u ^ x or z ^ y. 
Since / involves the variables x and y it thus follows that f{cr){u) = cr{u). A 
similar argument applies to predicates. Although this proves that sets of variables 
involved by / and Lp are closed under hnite intersection, this does not necessarily 
imply that they are closed under inhnite intersection, as the following example 
shows. 

Example 1. Let Var = {xi, and the predicate <f) be dehned as follows: 

cr ^ (f) if and only if Bi.Vj, k > i.cr{xj) = cr{xk) 

It follows that (f) involves Var \ {xi, . . . , x„}, for any n. But the inhnite intersec- 
tion of the sets Var \ {xi, is empty and clearly it is not the case that <f) 

involves the empty set. (A similar counter example applies to functions.) 

Consequently we restrict ourselves to functions / and predicates <f) for which 
there exists a fimte set of variables which are involved by / and (f>. Since any 
intersection with a hnite set can be reduced to a hnite intersection, the smallest 
set of variables involved by / (respectively cf)) is well-dehned. From now on we 
will call this smallest set the set of variables involved by / (respectively cf)), also 
denoted by VAR{f) and VAR{(I)). We will use the phrase ‘the variable x occurs 
in the state transformation / (predicate cf))’ for x G VAR{f) {x G VAR{(I))). The 
dehnition of involvement of a variable in a predicate is extended in Def. 12 to 
involvement of a channel. 

By VAR{P), for P a synchronous transition diagram, we denote the vari- 
ables occurring in its state transformations and boolean conditions. We call 
synchronous transition diagrams P\, . . . , Pn disjoint if their associated sets of 
variables are mutually disjoint, and every channel occurring in i^i, . . . , is uni- 
directional and connects at most two different diagrams. In the sequel we shall 
assume that only disjoint diagrams are composed in parallel. Formally, a parallel 
system P is inductively dehned as a parallel composition Pi || P 2 , where Pi is 
either a sequential process, i.e. a synchronous diagram, or again a parallel sys- 
tem. By VAR{P), for P a parallel system, we denote the variables occurring in 
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the state transformations and boolean conditions of its sequential components. 
For parallel systems then we can also use the phrase ‘the variable x occurs in P’ 
for X G VAR{P). By CP[AN{P) we denote the set of channel names occurring 
in P. 



3 Compositional semantics of synchronous transition 
diagrams 

Given a synchronous transition diagram P = [L,T, s, t) we dehne a labeled transi- 
tion relation between configurations {1] cr), where I ^ L. The labels are sequences 
of communications, denoted by 9. A communication itself is a pair (c,v), with 
c a channel name and v G VAL. It indicates that the value v has been com- 
municated along channel c. We assume the following operations on sequences: 
the append operation, denoted by •, the operation of concatenation, denoted by 
o. The projection operation is denoted by f, i.e. 6 ], C , with C a set of chan- 
nels, denotes the subsequence of 6 consisting of those communications invoving 
a channel c ^ C . The empty sequence we denote by e. 

In the dehnition of the labeled transition relation we will make use of the 
notion of a variant of a state. 



Definition 2. We define 

a{v/x}{y) 



cr{y) if X and y are distinct, 
V otherwise. 



Definitions. Let P = (L,T,s,t) be a synchronous transition diagram. 

— In case of an internal transition I I' E T , a = b ^ f , we have 

(/; (t) (/'; cr'), 

if cr E b and where 0-' = /(o-)- 

— In case of an output transition / A /' G T, a = & — ;> c!e, we have, for v = e[cr), 

{l;a) ^ {1 ';(t), 

if <7 ^ b. 

— In case of an input transition I ^ I' E T , with a = b ^ clx, we define, for 
an arbitrary value v E VAL, 

{I, a) ^ {l'-,a{v/x]), 

if a Eb. 



Furthermore, we have the following rules for computing the reflexive, transi- 
tive closure: 



(/; A (/; A and jl' ; a') ^ jl" ; a 

/7 \ QoO^ nil n\ 



(l;a) We {I"; a" 
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Using the above transition relation we can now define the semantics of a syn- 
chronous transition diagram, in which the value received in an input transition 
is selected by local guessing. 

Definition4. Let P = (T,L,s,t) be a synchronous transition diagram and 
I E L. We dehne 

Oi{P) = {(a,a' ,e) \ (s;cr) <4 a (/;cr')}. 

Note that we now can also dehne the initial/hnal state semantics of P as Ot{P), 
which we also denote by 0{P). 

In the following dehnition we extend the above semantics in a compositional 
manner to parallel systems. 

Definitions. For P a parallel system Pi \\ P 2 , we dehne 

0{P) = {(, 7 , , 7 ', e) I (,7, 0,) e 0{Pi), i = 1, 2 }. 

Here cr'- is obtained from cr' by assigning to the variables not belonging to process 
Pi their corresponding values in cr (note that Pi changes only its own local 
variables). The history 6i denotes the projection 6 j, CPIAN [Pi) of 0 along the 
channels of Pi . 

It is easy to see that the semantic operation of parallel composition dehned above 
is commutative and associative. 

We observe that in the above dehnition the requirement that the local histo- 
ries 0i can be obtained as the projection of one global history 0 guarantees that 
an input on a channel indeed can be synchronized with a corresponding output. 
Also worthwhile to observe is the difference between the semantics of a parallel 
system and a sequential process: The histories 0 in 0[P), for P a synchronous 
transition diagram, contain only the communications of P itself whereas in 0[P ) , 
with P a parallel system, they may also contain other communications. 

Let us next explain the role of our basic assumption that channels are uni- 
directional and one-to-one. The above compositional semantics would generate, 
for example, for the network c7x || c7y || c!0 (abstracting from the locations) 
in which c connects two consumers with one producer, a global history which 
in fact models a multiparty communication interaction, i.e. the data produced 
is consumed at the same time by both consumers. However, our intention is 
to describe a communication mechanism such that any communication involves 
one sender and one receiver only (as it is in CSP, for example). Concerning the 
condition of uni-directionality of the channels, consider a network which connects 
two processes Pi and P 2 via a M- directional channel c such that both Pi and P 2 
hrst want to perform an input-statement on c and then an output-statement on 
c . Thus both processes Pi and P 2 act as producer and consumer with respect 
to c. It is easy to see that 0[Pi || P 2 ) is non-empty, whereas operationally 
this diagram clearly deadlocks. This is due to the fact that the communication 
history does not indicate the direction of the communications, and consequently 
does not capture the different roles of the i/o statements clx and c!e. 

We conclude this section with the following simple closure property of O . 
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Lemma 6. Let P be a parallel system and 6 CHAN [P) = 0' CHAN [P) . It 

follows that for every pair of states cr and a' , 

(a, a', 9) e 0(P) iff (a, a', 9') E 0(P). 

4 A compositional proof method 

In this section we first introduce compositionally inductive assertion networks 
for reasoning about the sequential components of a parallel system. Then we 
introduce compositional proof rules for deducing properties of the whole system. 
The basic idea of a compositionally inductive assertion network is the dehnition 
of the verihcation conditions in terms of a logical history variable which records 
the sequence of communications generated by the component. The parallel com- 
bination of these compositionally inductive assertion networks is dehned in terms 
of a simple semantic characterization of the variables and channels involved in a 
predicate. The notion of the channels involved in a predicate is dehned in terms 
of a natural generalization of the projection operation on histories to predicates. 

We assume given a set of history variables HVAR C VAR and a distinguished 
history variable h E HVAR. A state cr E S thus assigns to each history variable a 
sequence of communications (and to each other variable an element of the given 
domain VAL). The distinguished history variable h represents the sequence of 
communications of the given parallel system. For every synchronous transition 
diagram P we require that every state transformation / and boolean condition b 
of P satishes that VAR{f) C (VAR\HVAR) and VAR{b) C {VAR\HVAR. This 
requirement then formalizes the condition that history variables do not occur in 
any program. 

In order to reason about an input statement clx which involves the assign- 
ment of an arbitrary value to x, we need the introduction of quantihers involving 
variables of the set VAR\HVAR) . We dehne for a predicate cr E Bx.f iff there 
exists V E VAL such that cr{vlx'\ \= f. 

Definition 7. An assertion network for a synchronous transition diagram 
P = [L,T, s, t) assigns to each I E L a predicate . 

We have the following definition of a compositionally inductive assertion net- 
work. In this definition with <f) a predicate, i.e. a set of states, and / a 

state-transformation, denotes the set of states {/(c) | cr E f}, i.e., the image of 
(f) under /. 

Definitions. A local assertion network for a synchronous transition diagram 
P is called compositionally inductive if: 

— For I I' a local transition of P, i.e., a = b ^ f for some boolean b and 
state-transformation / one has 



f{0inb)c0i,. 
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— For / A /' an output transition of P, i.e. a = b ^ cle, for some boolean b, 
channel c and state-transformation /, one has 

gi^inb) C 

where g{cr) = cr{cr{h) ■ (c, cr{e))/h}. 

— For / A /' an input transition of P, i.e. a = b ^ c7x, for some boolean b, 
channel c and state-transformation /, one has 

g(3x.(I>i nb) C 

where g{<r) = cr{cr{h) ■ (c, cr{x))/h}. 

We denote hy P \~ that is a compositionally inductive assertion network 
for P. 

Definition 9. A partial correctness statement is of the form {cl)}P{'ip}, where <f) 
and ip are predicates, also called the precondition and postcondition, and P is 
either a synchronous transition diagram or a parallel system. 

Formally, validity of a partial correctness statement {(p}P{'ip}, with P either 
a synchronous transition diagram or a parallel system, notation: |= {(p}P{'ip}, is 
dehned with respect to the semantics O. 

DefinitionlO. We dehne |= {(p}P{'ip}, with P = [L, T, s, t) a synchronous tran- 
sition diagram, by 

for every (cr, cr', 6) C 0{P) such that cr{e/h} C (p, we have cr'{6/h} C <j). 

(Note that 0{P) = Ot{P)-) Similarly, we dehne |= {<l)}P{'tp}, for P a parallel 
system, in terms of 0{P). 

Note that thus the validity of a partial correctness statement {<p}P{'ip} is de- 
hned with respect to computations of P which start in a state in which the history 
variable h is initialized to the empty sequence. We can impose this restriction 
because we do not consider the sequential composition of parallel systems (that 
is, we consider only top-level parallelism). For a discussion on the consequences 
of such an operation we refer to the section on nested parallelism. 

Definitionll. For P = (L,T,s,t) a synchronous transition diagram, we have 
the following main rule: 

P^<P 

Moreover, for synchronous transition diagrams we have the following initializa- 
tion rule. 

{(p f]h = e}P{'ip} 

wpm 

where h = e denotes the set {cr I a(h) = e]. 




640 F.S. de Boer and W.-P. de Roever 

In order to define a rule for parallel composition we introduce the following 
restriction operation on predicates. 

Definition 12. Let (f) he a predicate and C a set of channels. We denote by 
(f) -I C the predicate 

{(T I there exists <r' ^ <f> s.t. cr{x) = cr'{x), for x G VAR \ {h}, 
and a{h) I C = cr' {h) \, C}. 

Note that (f) ], C = (f) indicates that, as far as the dependency of the value of (f) 
upon the value of h is concerned, the value of (f) only depends on the projection 
of the global history h on the channels C . More formally, (j j C = (j indicates 
that for every cr and cr' such that cr and cr' are the same but for the value of the 
history variable /i, and cr{h) j C = cr'{h) ], C , we have 

(T 1= (/) if and only if cr' \= 4>. 

If (j j C = (j then we also say that ‘j) only involves the channels of C’. 

We can now formulate the following rule for parallel composition. 

Definition 13. Let P = Pi \\ P 2 in the rule 

{(jljPljljl), (t)2}P2{i’2} 

{<f>i n (f)2}P{ipi n 1P2} 

provided iji does not involve the variables of Pj and iji ], CHAN (Pi) = ipi, i ^ j. 

Note that the restriction on channels indeed is necessary: Consider for ex- 
ample a network c!0 || d!0 (abstracting from the locations of the components). 
Locally, we can prove 

{h = e}c\0{h = ((c, 0))} and {h = e}d\0{h = {{d, 0))} 

(here h = e, for example, denotes the predicate {cr | cr{h) = e}). Applying the 
above rule leads to 

{h = e}c!0 II d\0{false}, 

However, this gives rise to incorrect results when further composing the system 
c!0 II c?!0. Observe that, e.g., postcondition h = ((c, 0)) also involves channel d, 
in fact, we have that h = ((c, 0) involves all channels, and, hence, the condition 
upon the postconditions iji in the above rule for parallel composition are violated. 

We conclude the exposition of the proof system with the following conse- 
quence and elimination rules. 

Definition 14. For P a synchronous transition diagram or a parallel system we 
have the usual consequence rule: 

wpm 
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For P a parallel system we have the elimination rule: 

{3z4]P{i,] 

where z is a sequence of variables which do not occur in _P or (/) (i.e. zC\{ VAR[P)\J 
VAR{(^)) = 0). 

Derivability of a partial correctness statement using the rules above, 

with P a synchronous transition diagram or a parallel system, we denote by 

^wpm- 

5 Soundness 

We have the following soundness result for synchronous transition diagrams. 

Theorem 15. Let P = [L, T, s, t) be a synchronous transition diagram. We have 
that P \- 0 implies \= {<L’s}P{tLt} ■ 

Proof 

It sufhces to prove that for every computation 

(s;cr) <4 a {l;a') 

of P = {L, T, s, t), we have that a{e/h} C <Ls implies a' {6 /h} C <Li . 

We proceed by induction on the length of the computation. We treat the case 
that the last transition involves the execution of a guarded input h ^ c7x. Let 

(s; (t) <4-7- (/'; cr') and (/'; cr') (/; (t'{v/x}), 
with cr' ^ h and cr{e/h} C <Pg- By the induction hypothesis we have that 

a'{e/h} e >Pi>. 

We are given that is compositionally inductive, so we have that 

g(3x.(Ln n &) C 

where g{cr) = cr{cr{h) ■ {c, cr{x)) / h} , for every state cr. Now cr'{6/h} C H & 
(note that h ^ VAR[b)), so 

a' {v/x}{6 /h} C 3x.(Lii n b. 



Consequently, 

g(cr' {v/x}{9/h}) = a' {v/ x}{6 ■ (c, v)/h} C g(3x.<I>ii Clb) C 

□ 

Next we prove soundness of the parallel composition rule (the proof of the 
soundness of the other rules is standard). 
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Theorem 16. Let P = Pi \\ P 2 . We have that \= {(f>i}Pi{ipi} and \= <f>2}P2{i’2} 
implies \= {4>i n 4 > 2 '\P{' 4 >i n V’2}, provided ipi does not involve the variables of Pj 
and ipi f C'i = ipi, i j. 



Proof 

Let (cr, cr' , 6) E 0(P) such that a{e/h} E fiC\ (f) 2 - By the dehnition of 0{P) we 
have that 

{a,af0,)EO{P,), i=l,2}, 

where cr,' is obtained from cr' by assigning to the variables not belonging to 
process Pi their corresponding values in cr, and 6i denotes the projection 6 j, 
CHAN [Pi) of 9 along the channels of Pi. 

By the induction hypothesis we have that cry'll?,//*} E ipi, i = 1,2. Since 
ifi does not involve the variables of Pj and ifi j, Ci = ipi, we conclude that 
a'{6/h] E ipi, * = 1,2. □ 



6 Semantic completeness 

We want to prove completeness, that is, we want to prove that every valid 
partial correctness statement of a parallel system P is derivable. To this end we 
introduce the following strongest postcondition semantics. 

Definition 17. Given a synchronous transition diagram P = [L,T, s,f), I E L, 
and a precondition <f) we dehne 

SPi((f),P) = {a{9/h} I there exists a' s.t. a'{e/h} E f and (cr',cr, 6*) E Oi(P)}. 

By SP((f),P), with P = (L,T,s,t), we denote SPt((f),P) i CHAN(P). Similarly 
we dehne SP{4>, P), for P a parallel sytem, in terms of 0{P). 

It is easy to see that |= {(l)}P{SPt{(t), P)}, and that SPt{4>, P) E ip is implied 
by the validity of {f} P {ip} , for P a synchronous transition diagram. Similarly, 
for P a parallel system, we have that |= {<p}P{SP{(p, P)} and that the validity of 
{(p}P{'ip} implies SP{(p, P) E ip. Moreover, we have that SP{(p, P) only involves 
the channels of P . 

Lemma 18. For P a synchronous transition diagram or a parallel system we 
have that 

SP{(p, P) ; CHAN{P) = SP{(p, P). 



Proof 

For P a synchronous transition diagram we have by dehnition that SP{(p, P) = 
SPt{<p,P) i CHAN{P). For P be a parallel system the statement follows from 
the dehnition of SP{(p, P) and lemma 6. □ 

We have the following completeness result for synchronous transition dia- 
grams. 
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Theorem 19. Let P be a synchronous transition diagram. We have 



h {4>}P{SP{4>,P)}. 



Proof 

Let P = [L, T, s, t) and let be the assertion network which associates with each 
location I of P the predicate SPi{4>, P). It is easy to prove that this assertion 
network is compositionally inductive. We treat the case of an input transition 
C T, with a = h ^ c7x: We have to prove that 

g{3x.SPi{(t), -P) n &) C SPnicf), P), 

where g{cr) = cr{cr{h) ■ (c, cr{x))/h}, for every state cr. To this end let 

a e g(3x.SPi((f), P)r\b). 



So we have that 

(T = <j' {v / x^ {(j' [h) ■ (c, r>)//i}, 

for some value v and state a' C SPi{4>, P) Hb. By dehnition of SPi{4>, P) we thus 
derive that 

(s;cr) <4 a 

for 9 = cr'{h). By dehnition 3, note that cr' C b, it follows that 

^ {l';a'{v/x}). 

We conclude that cr C SPii {4>, P). Coming back to our main argument, we derive 
that 

Next we observe that [(j)C\h = e) C SPsicf), P) and that SPticf), P) C SPticf), P) i 
CPbAN [P)[= SP{4>, P)). Thus an application of the consequence rule gives us 

^ {</,nh = e}P{SP{<l>,P)}. 

We conclude with an application of the initialization rule that 

h {4>}P{SP{4>,P)}. 



□ 



Now we want to prove h {<f>}P{SP{<f>, P)} , for P = Pi \\ P 2 . We hrst intro- 
duce the following set of variables and channels. 

- i = VAR{<i),i>,P), 

— Xi = VAR[Pi), i = 1,2. 
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By the induction hypothesis and the above theorem we have 

*•= 1,2, 

where cf)' = ((f) n z = x) , with z a sequence of ‘fresh’ variables corresponding to x 
(z = X denotes the set of states cr such that cr[zi) = cr{xi), for every Zi G z and 
corresponding Xi). The variables z are used to freeze the initial values of x: the 
predicate z = x initializes the variables of z to the values of the corresponding 

X. 

Applying the consequence rule we obtain 

{'i>'}Pi{'^ijSP{f',Pi)}, i,j e {1,2}, i ^ j. 

In order to apply the parallel composition rule we hrst observe that 3xjSP{(l)' , Pi)} 
does not involve the variables of Pj. Moreover it is easy to prove that 

{3xjSP{f, Pi)) i Ci = 3xj{SP{ff Pi) } Ci). 

By lemma 18 we thus derive that 

{3xjSP{ff Pi)) } Ci = 3xjSP{ff Pi). 

So the conditions of the parallel composition rule are satished. We obtain 

h {f']P{3x2SP[f\ Pi) A 3xiSP[f\ P- 2 )]. 

To proceed we need the following main theorem. 

Theoreni20. ITe have (3x2SP((f)' , Pi) r\3xiSP((f)' , P 2 )) C SP((f)',P). 

Proof 

Let (T G 3x 2SP{(I)' , Pi) H 3xiSP{(l)' , P 2 ). So there exist states ai and (T 2 such 
that (T differs from di only with respect to the variables Xj (i j), and di G 
SP{4>' , P 2 ), i,j G {1, 2). By dehnition of the strongest postcondition and lemma 
6 there exist states cr} and such that 

— d'i{e / h] , d 2 {e / h] G f , and 

— (d), di, 0i) G 0{Pi), where d[h) = 0 and 0i = 0 }. CPhAN [Pi) [i = 1,2). 

Since cr)(z) = d'-{x) and cr(z) = di[z) = cr)(z), it follows that cr} and d '2 agree 
with respect to the variables x. Moreover, for any other variable y G VAR \ {h} 
we have that d(y) = di(y) = d'-{y). Summarizing, we have established that 
d[{e/h} = (r{{e//i}. Let us call this state d” . 

We have that di(xj) = d”{xj) (i j). In other words, di can be obtained 
from d by assigning to the variables not belonging to process Pi their correspond- 
ing values in d” . So by dehnition of 0{P) we derive that {d”{0/h}, d, 0) G 0{P), 
from which we obtain that d G SP{4>' , P). □ 

Applying the consequence rule to {(l)'}P{3x2SP{(l)' , Pi) A 3xiSP{(l)' , P 2 )} we 
thus obtain 

^ mpispiffp)}}. 
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Since SP{4>' , P) C SP{4>, P) {4>' C <f) and SP is monotonic in its first argument), 
we derive by another application of the consequence rule 

{4>'}P{SP{4>,P)}. 

An application of the elimination rule then gives us 

{3z.4>'}P{SP{4>,P)}- 

Finally, we observe that (f) = 3z.<j)' , from which the result follows. 

7 Nested parallelism 

We have illustrated in this paper our general semantic approach to composi- 
tional proof methods for concurrent systems by means of a compositional proof 
method for parallel systems based on synchronous message passing. We refer to 
[4] for a detailed exposition of various generalizations. Here we only sketch the 
generalization to nested parallelism. 

Nested parallelism arises when we introduce the operation of sequential com- 
position of synchronous transition diagrams. As has been pointed out in [5] this 
operation requires the introduction in the proof method of the prefix-invariance 
axiom. The basic ideas of the approach described in this paper have also been 
applied smoothly in [4] to the semantic explanation of this ’’enigmatic” prehx- 
invariance axiom. Semantically, the prehx-invariance axiom derives from the 
following generalization of the validity of a partial correctness statement. 

Definition21. We dehne |= {(ff P {iff as follows: 

for every (cr, a' , 9) G 0{P) such that cr ^ (f, we have cr' {cr{h) o 6/h} G if. 

The main difference with the notion of validity given in dehnition 10 is that we 
do not require the initial history to be empty. This is clearly necessary when we 
want to reason about sequential composition. However, the mere fact that thus 
we need to reason about a possibly non-empty initial history requires already 
the introduction of the prehx-invariance axiom, even in the context of top-level 
parallelism! This follows from the standard example. We cannot derive the valid 
correctness statement 



{(d, c) = h}d\ II c!{(d, c) < h} 

(we abstract both from locations and the values sent) which tells us that if the 
past history consists of hrst a communication on d followed by one on c, then 
after the communications d\ and c! one has that (d, c) is a prefix (the prehx 
relation on sequences is denoted by <) of the new history h. It is not difhcult to 
see that we cannot derive this correctness statement because of the restrictions 
on the postconditions in the rule for parallel composition, namely that they 
should involve only the channels of the components they describe. 
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In order to derive this correctness statement we have to introduce the fol- 
lowing prehx-invariance axiom: 



{t = h}P{t < h}. 

We can now prove, along the lines of the above completeness proof, that any 

correctness statement |= about a top-level parallel system P, which is 

valid under the above new dehnition, is derivable (see [4]). 
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